Signature processing system, key generation device, signature device, verification device, signature processing method, and signature processing program

ABSTRACT

The object is to provide an attribute-based signature scheme which is flexible in the design and which supports a non-monotone predicate. An access structure is constituted by applying the inner-product of the attribute vectors to a non-monotone span program. This access structure is flexible in the design of the span program and in the design of the attribute vectors, providing high flexibility in the design of access control. By incorporating the concept of secret distribution in the access structure, the attribute-based signature scheme which supports the non-monotone predicate is realized.

TECHNICAL FIELD

The present invention relates to an attribute-based signature (ABS) scheme.

BACKGROUND ART

Non-Patent Literatures 26, 29, 30, 34 to 37, 45, and 51 describe an attribute-based signature scheme. Particularly, Non-Patent Literatures 36 and 37 describe an attribute-based signature scheme that supports a monotone predicate.

CITATION LIST Patent Literature

-   Non-Patent Literature 1: Beimel, A., Secure schemes for secret     sharing and key distribution. PhD Thesis, Israel Institute of     Tech-nology, Technion, Haifa, Israel, 1996. -   Non-Patent Literature 2: Belenkiy, M., Camenisch, J., Chase, M.,     Kohlweiss, M., Lysyanskaya, A. and Shacham, H.: Randomizable proofs     and delegatable anonymous credentials. CRYPTO 2009. LNCS, Springer     Heidelberg (2009) -   Non-Patent Literature 3: Belenkiy, M., Chase, M., Kohlweiss, M. and     Lysyanskaya, A.: P-signatures and noninteractive anonymous     credentials. TCC 2008, LNCS, Springer Heidelberg (2008) -   Non-Patent Literature 4: Bethencourt, J., Sahai, A., Waters, B.:     Ciphertext-policy attribute-based encryption. In: 2007 IEEE     Sym-posium on Security and Privacy, pp. 321.334. IEEE Press (2007) -   Non-Patent Literature 5: Boneh, D., Boyen, X.: Efficient     selective-ID secure identity based encryption without random     oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS,     vol. 3027, pp. 223.238. Springer Heidelberg (2004) -   Non-Patent Literature 6: Boneh, D., Boyen, X.: Secure identity based     encryption without random oracles. In: Franklin, M. K. (ed.)     CRYPTO 2004. LNCS, vol. 3152, pp. 443.459. Springer Heidelberg     (2004) -   Non-Patent Literature 7: Boneh, D., Boyen, X., Goh, E.: Hierarchical     identity based encryption with constant size ciphertext. In:     Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440.456.     Springer Heidelberg (2005) -   Non-Patent Literature 8: Boneh, D., Franklin, M.: Identity-based     encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001.     LNCS, vol. 2139, pp. 213.229. Springer Heidelberg (2001) -   Non-Patent Literature 9: Boneh, D., Hamburg, M.: Generalized     identity based and broadcast encryption scheme. In: Pieprzyk, J.     (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 455.470. Springer     Heidelberg (2008) -   Non-Patent Literature 10: Boneh, D., Katz, J., Improved efficiency     for CCA-secure cryptosystems built using identity based encryp-tion.     RSA-CT 2005, LNCS, Springer Verlag (2005) -   Non-Patent Literature 11: Boneh, D., Waters, B.: Conjunctive,     subset, and range queries on encrypted data. In: Vadhan, S. P. (ed.)     TCC 2007. LNCS, vol. 4392, pp. 535.554. Springer Heidelberg (2007) -   Non-Patent Literature 12: X. Boyen: Mesh signatures. EUROCRYPT,     LNCS, vol. 4515, pp. 210.227. Springer (2007). -   Non-Patent Literature 13: Boyen, X., Waters, B.: Anonymous     hierarchical identity-based encryption (without random oracles). In:     Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290.307. Springer     Heidelberg (2006) -   Non-Patent Literature 14: Camenisch, J. and Gross, T.: Efficient     attributes for anonymous credentials. CCS 2008. -   Non-Patent Literature 15: Camenisch, J. and Lysyanskaya, A.: An     efficient system for non-transferable anonymous credentials with     optimal anonymity revocation. Eurocrypt 2001. -   Non-Patent Literature 16: Camenisch, J. and Lysyanskaya, A.:     Signature schemes and anonymous credentials from bilinear maps.     Crypto 2004. -   Non-Patent Literature 17: Canetti, R., Halevi S., Katz J.,     Chosen-ciphertext security from identity-based encryption. EUROCRYPT     2004, LNCS, Springer-Verlag (2004) -   Non-Patent Literature 18: Chaum, D.: Security without     identification: Transaction systems to make big brother obsolete.     CACM (1985). -   Non-Patent Literature 19: D. Chaum and E. van Heyst: Group     signatures. In proceedings of EUROCRYPT'91, . . . , LNCS, vol. 547,     pp. 257.265 (1991). -   Non-Patent Literature 20: Cocks, C.: An identity based encryption     scheme based on quadratic residues. In: Honary, B. (ed.) IMA Int.     Conf. LNCS, vol. 2260, pp. 360.363. Springer Heidelberg (2001) -   Non-Patent Literature 21: Gentry, C.: Practical identity-based     encryption without random oracles. In: Vaudenay, S. (ed.)     EURO—CRYPT 2006. LNCS, vol. 4004, pp. 445.464. Springer Heidelberg     (2006) -   Non-Patent Literature 22: Gentry, C., Halevi, S.: Hierarchical     identity-based encryption with polynomially many levels. In:     Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 437.456. Springer     Heidelberg (2009) -   Non-Patent Literature 23: Gentry, C., Silverberg, A.: Hierarchical     ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS,     vol. 2501, pp. 548.566. Springer Heidelberg (2002) -   Non-Patent Literature 24: Goyal, V., Pandey, O., Sahai, A., Waters,     B.: Attribute-based encryption for fine-grained access control of     encrypted data. In: ACM Conference on Computer and Communication     Security 2006, pp. 89.98, ACM (2006) -   Non-Patent Literature 25: Groth, J., Sahai, A.: Efficient     non-interactive proof systems for bilinear groups. In: Smart, N. P.     (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415.432. Springer     Heidelberg (2008) -   Non-Patent Literature 26: S. Guo and Y. Zeng: Attribute-based     Signature Scheme, In ISA'08, pp. 509.511 (2008). -   Non-Patent Literature 27: Horwitz, J., Lynn, B.: Towards     hierarchical identity-based encryption. In: Knudsen, L. R. (ed.)     EURO-CRYPT 2002. LNCS, vol. 2332, pp. 466.481. Springer Heidelberg     (2002) -   Non-Patent Literature 28: Katz, J., Sahai, A., Waters, B.: Predicate     encryption supporting disjunctions, polynomial equations, and inner     products. In: Smart, N. P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965,     pp. 146.162. Springer Heidel-berg (2008) -   Non-Patent Literature 29: D. Khader: Attribute Based Group     Signatures, Cryptology ePrint Archive, Report 2007/159 (2007). -   Non-Patent Literature 30: D. Khader: Attribute Based Group Signature     with Revocation. Cryptology ePrint Archive, Report 2007/241, (2007).     http://eprintiacr.org/2007/241. -   Non-Patent Literature 31: Lewko, A., Okamoto, T., Sahai, A.,     Takashima, K. and Waters, B.: Fully Secure Functional Encryption:     Attribute-Based Encryption and (Hierarchical) Inner Product     Encryption, EUROCRYPT 2010. LNCS, Springer Heidelberg (2010) -   Non-Patent Literature 32: Lewko, A. B., Waters, B.: Fully secure     HIBE with short ciphertexts. ePrint, IACR, -   Non-Patent Literature 33: Lewko, A. B., Waters, B.: Decentralizing     Attribute-Based Encryption, ePrint, IACR, -   Non-Patent Literature 34: Jin Li, Man Ho Au, Willy Susilo, Dongqing     Xie, Kui Ren: Attribute-based Signature and its Application,     ASIACCS' 2010, ACM (2010) -   Non-Patent Literature 35: J. Li and K. Kim: Attribute-based ring     signatures. 2008. To appear in Journal of Information Sciences. -   Non-Patent Literature 36: Maji, H., Prabhakaran, M., Rosulek, M.:     Attribute-Based Signatures: Achieving Attribute-Privacy and     Collusion-Resistance. ePrint, IACR, -   Non-Patent Literature 37: Maji, H., Prabhakaran, M., Rosulek, M.:     Attribute-Based Signatures. -   Non-Patent Literature 38: Okamoto, T., Takashima, K.: Homomorphic     encryption and signatures from vector decomposition. In:     Galbraith, S. D., Paterson, K. G. (eds.) Pairing 2008. LNCS, vol.     5209, pp. 57.74. Springer Heidelberg (2008) -   Non-Patent Literature 39: Okamoto, T., Takashima, K.: Hierarchical     predicate encryption for Inner-Products, In: ASIACRYPT 2009,     Springer Heidelberg (2009) -   Non-Patent Literature 40: Okamoto, T., Takashima, K.: Fully Secure     Functional Encryption with General Relations from the Deci-sional     Linear Assumption, In: CRYPTO 2010, Springer Heidelberg (2010) -   Non-Patent Literature 41: Ostrovsky, R., Sahai, A., Waters, B.:     Attribute-based encryption with non-monotonic access structures. In:     ACM Conference on Computer and Communication Security 2007, pp.     195.203, ACM (2007) -   Non-Patent Literature 42: Pirretti, M., Traynor, P., McDaniel, P.,     Waters, B.: Secure attribute-based systems. In: ACM Conference on     Computer and Communication Security 2006, pp. 99.112, ACM, (2006) -   Non-Patent Literature 43: Pirretti, M., Traynor, P., McDaniel, P.,     Waters, B.: Secure attribute-based systems. In: ACM Conference on     Computer and Communication Security 2006, pp. 99.112, ACM, (2006) -   Non-Patent Literature 44: Sahai, A., Waters, B.: Fuzzy     identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005.     LNCS, vol. 3494, pp. 457.473. -   Springer Heidelberg (2005) -   Non-Patent Literature 45: S. F. Shahandashti and R. Safavi-Naini:     Threshold attribute-based signatures and their application to     anonymous credential systems. In AFRICACRYPT'09, pp. 198.216 (2009). -   Non-Patent Literature 46: A. Shamir: Identity-based cryptosystems     and signature schemes. In CRYPTO'84, pp. 47.53 (1984). -   Non-Patent Literature 47: Shi, E., Waters, B.: Delegating capability     in predicate encryption systems. In: Aceto, L., Damgoard, I.,     Goldberg, L. A., Halldorsson, M. M., Ingolfsdottir, A.,     Walukiewicz, I. (eds.) ICALP (2) 2008. LNCS, vol. 5126, pp. 560.578.     Springer Heidelberg (2008) -   Non-Patent Literature 48: Shi, E., Waters, B.: Delegating capability     in predicate encryption systems. In: Aceto, L., Damg° ard, I.,     Goldberg, L. A., Halldorsson, M. M., Ingolfsdottir, A.,     Walukiewicz, I. (eds.) ICALP (2) 2008. LNCS, vol. 5126, pp. 560.578.     Springer Heidelberg (2008) -   Non-Patent Literature 49: Waters, B.: Ciphertext-policy     attribute-based encryption: an expressive, efficient, and provably     secure realization. ePrint, IACR, -   Non-Patent Literature 50: Waters, B.: Dual system encryption:     Realizing fully secure IBE and HIBE under simple assumptions. In:     Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619.636. Springer     Heidelberg (2009) -   Non-Patent Literature 51: Waters, B.: Dual system encryption:     Realizing fully secure IBE and HIBE under simple assumptions. In:     Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619.636. Springer     Heidelberg (2009)

SUMMARY OF INVENTION Technical Problem

The conventional attribute-based signature scheme does not support non-monotone predicates.

It is an object of the present invention to provide an attribute-based signature scheme that supports non-monotone predicates.

Solution to Problem

A signature processing system according to the present invention is a signature processing system that includes a key generation device, a signature device, and a verification device, and serves to execute a signature process using a basis B_(t) and a basis B*_(t) for each integer t=0, . . . , d+1 (d is an integer of 1 or more),

wherein the key generation device includes

a first information input part which takes as input an attribute set Γ including identification information t and attribute information x^(→) _(t):=(x_(t,i)) (i=1, . . . , n_(t) where n_(t) is an integer of 1 or more) for at least one integer t=1, . . . d,

a key element 0 generation part which generates a key element k*₀ where a predetermined value δ is set as a coefficient for a basis vector b*_(0,1) of a basis B*₀,

a key element t generation part which generates a key element k*_(t) where δx_(t,i) (i=1, . . . , n_(t)) obtained by multiplying the attribute information x^(→) _(t) by the predetermined value δ is set as a coefficient for a basis vector b*_(t,i) (i=1, . . . , n_(t)) of the basis B*_(t), concerning each identification information t included in the attribute set Γ inputted by the first information input part,

a key element d+1 generation part which generates a key element k*_(d+1,1) where the predetermined value δ is set as a coefficient for a basis vector b*_(d+1,1) of a basis B*_(d+1), and a key element k*_(d+1,2) where the predetermined value δ is set as a coefficient for a basis vector b*_(d+1,2) of the basis B*_(d+1), and

a signing key transmission part which transmits, to the signature device, a signing key sk_(Γ) including: the key element k*₀ generated by the key element 0 generation part; the key element k*_(t) generated by the key element t generation part concerning each identification information t included in the attribute set Γ; the key element k*_(d+1,1) and the key element k*_(d+1,2) which are generated by the key element d+1 generation part; and the attribute set Γ,

wherein the signature device includes

a second information input part which takes as input a variable ρ(i) for each integer i=1, . . . , L (L is an integer of 1 or more), which variable ρ(i) is either one of a positive tuple (t, v^(→) _(i)) and a negative tuple

(t, v^(→) _(i)) of the identification information t (t is any one integer of t=1, . . . , d) and attribute information v^(→) _(i)=(v_(i,i′)) (i′=1, . . . , n_(t)); a predetermined matrix M having L rows and r columns (r is an integer of 1 or more); and a message in,

a signing key acquisition part which acquires the signing key sk_(Γ) transmitted by the signing key transmission part,

a complementary coefficient calculation part which, based on the variable ρ(i) inputted by the second information input part and the attribute set Γ included in the signing key sk_(Γ) acquired by the signing key acquisition part, specifies, among integers i=1, . . . , L, a set I of an integer i for which the variable ρ(i) is a positive tuple (t, v^(→) _(i)) and with which an inner-product of v^(→) _(i) of the positive tuple and x^(→) _(t) included in the attribute set Γ indicated by identification information t of the positive tuple becomes 0, and an integer i for which the variable ρ(i) is a negative tuple

(t, v^(→) _(i)) and with which an inner-product of v^(→) _(i) of the negative tuple and x^(→) _(t) included in the attribute set Γ indicated by identification information t of the negative tuple does not become 0; and calculates, concerning i included in the set I specified, a complementary coefficient α_(i) with which a total of α_(i)M_(i) based on M_(i) which is an element on an i-th row of the matrix M inputted by the second information input part becomes a predetermined vector h^(→),

a signature element 0 generation part which generates a signature element s*₀ including the key element k*₀ included in the signing key sk_(Γ),

a signature element i generation part which generates, for each integer i=1 . . . , L, a signature element s*_(i) including γ_(i)k*_(t) obtained by multiplying the key element k*_(t) included in the signing key sk_(Γ) by a value γ_(i), by setting the value γ_(i) to satisfy γ_(i):=α_(i) when the integer i is included in the set I specified by the complementary coefficient calculation part and the variable ρ(i) is a positive tuple (t, v^(→) _(i)); by setting the value γ_(i) to satisfy γ_(i):=α_(i)/(v^(→) _(i)·x^(→) _(t)) when the integer i is included in the set I and the variable ρ(i) is a negative tuple

(t, v^(→) _(i)); and by setting the value γ_(i) to satisfy γ_(i):=0 when the integer is not included in the set I,

a signature element L+1 generation part which generates a signature element s*_(L+1) including a sum of the key element k*_(d+1,1) included in the signing key sk_(Γ) and m′·k*_(d+1,2) obtained by multiplying the key element k*_(d+1,2) by a value m′ generated using the message m, and

a signature data transmission part which transmits, to the verification device, signature data σ including: the signature element s*₀ generated by the signature element 0 generation part; the signature element s*_(i) generated for each integer i=1, . . . , L by the signature element i generation part; the signature element s*_(L+1) generated by the signature element L+1 generation part; the message m; the variable ρ(i); and the matrix M, and

wherein the verification device includes

a data acquisition part which acquires the signature data σ transmitted by the signature data transmission part,

a verification element 0 generation part which generates a verification element c₀ by setting, as a coefficient for a basis vector b_(0,1) of a basis B₀, −s₀−s_(L+1) calculated from a value s₀:=h^(→)·f^(→) and a predetermined value the value s₀:=h^(→)·f^(→) being generated using a vector f^(→) having r pieces of elements, and the vector h^(→),

a verification element i generation part which, for each integer i=1, . . . , L and using a column vector s^(→T):=(s₁, . . . s_(L))^(T):=M·f^(→T) generated based on the vector f^(→) and the matrix M which is included in the signature data σ acquired by the data acquisition part, and a predetermined number θ_(t) for each integer i=1, . . . , L, generates a verification element c_(i), when the variable ρ(i) is a positive tuple (t, v^(→) _(i)), by setting s_(i)+θ_(i)v_(i,1) as a coefficient for a basis vector b_(t,1) of the basis B₁ indicated by identification information t of the positive tuple and by setting θ_(i)v_(i,i′) (i′=2, . . . , n_(t)) as a coefficient for a basis vector b_(t,i′) (i′=2, . . . , n_(t)), and generates a verification element c_(i), when the variable ρ(i) is a negative tuple

(t, v^(→) _(i)), by setting s_(i)v_(i,i′) (i′=1, . . . , n_(t)) as a coefficient for the basis vector b_(t,i′) (i′=1, . . . , n_(t)) indicated by identification information t of the negative tuple,

a verification element L+1 generation part which generates a verification element c_(L+1) by setting s_(L+1)−θ_(L+1)m′ calculated from the predetermined value s_(L+1), the value m′, and a predetermined value θ_(L+1) as a coefficient for a basis vector b_(d+1,1) of a basis B_(d+1), and by setting the predetermined value θ_(L+1) as a coefficient for a basis vector b_(d1+1,2), and

a pairing operation part which verifies an authenticity of the signature data σ by conducting a pairing operation Π_(i=0) ^(L+1)e(c_(i),s*_(i)) for the verification element c₀ generated by the verification element 0 generation part, the verification element c_(i) generated by the verification element i generation part, the verification element c_(L+1) generated by the verification element L+1 generation part, and the signature elements s*₀, s*_(i), and s*_(L+1) included in the signature data σ.

Advantageous Effects of Invention

An attribute-based signature scheme according to the present invention supports non-monotone predicates, and accordingly realizes an attribute-based signature scheme having diversified applications.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is an explanatory drawing of a matrix M^.

FIG. 2 is an explanatory drawing of a matrix M_(δ).

FIG. 3 is an explanatory drawing of s₀.

FIG. 4 is an explanatory drawing of s^(→T).

FIG. 5 is a configuration diagram of a signature processing system 10 which executes an attribute-based signature scheme.

FIG. 6 is a function block diagram showing a function of a key generation device 100.

FIG. 7 is a function block diagram showing a function of a signature device 200.

FIG. 8 is a function block diagram showing a function of a verification device 300.

FIG. 9 is a flowchart showing the process of Setup algorithm.

FIG. 10 is a flowchart showing the process of KeyGen algorithm.

FIG. 11 is a flowchart showing the process of Sig algorithm.

FIG. 12 is a flowchart showing the process of Ver algorithm.

FIG. 13 is an explanatory drawing of multi-authority.

FIG. 14 is a configuration diagram of a signature processing system 10 which executes a decentralized multi-authority attribute-based signature scheme.

FIG. 15 is a function block diagram showing a function of each key generation device 100.

FIG. 16 is a function block diagram showing a function of a signature device 200.

FIG. 17 is a function block diagram showing the function of a verification device 300.

FIG. 18 is a flowchart showing the process of GSetup algorithm.

FIG. 19 is a flowchart showing the process of ASetup algorithm.

FIG. 20 is a flowchart showing the process of AttrGen algorithm.

FIG. 21 is a flowchart showing the process of Sig algorithm.

FIG. 22 is a flowchart showing the process of Ver algorithm.

FIG. 23 is a diagram showing an example of the hardware configuration of the key generation device 100, the signature device 200, and the verification device 300.

DESCRIPTION OF EMBODIMENTS

Embodiments of the present invention will be described hereinafter with reference to the accompanying drawings.

In the following description, a processing device is, for example, a CPU 911 (to be described later). A storage device is, for example, a ROM 913, a RAM 914, or a magnetic disk 920 (each will be described later). A communication device is, for example, a communication board 915 (to be described later). An input device is, for example, a keyboard 902 or the communication board 915 (to be described later). Namely, the processing device, the storage device, the communication device, and the input device are hardware.

The notation in the following description will be explained.

When A is a random variable or distribution, Formula 101 denotes that y is randomly selected from A according to the distribution of A. Namely, in Formula 101, y is a random number.

$\begin{matrix} {y\overset{R}{\longleftarrow}A} & \left\lbrack {{Formula}\mspace{14mu} 101} \right\rbrack \end{matrix}$

When A is a set, Formula 102 denotes that y is uniformly selected from A. Namely, in Formula 102, y is a uniform random number.

$\begin{matrix} {y\overset{U}{\longleftarrow}A} & \left\lbrack {{Formula}\mspace{14mu} 102} \right\rbrack \end{matrix}$

Formula 103 denotes that y is a set, defined or substituted by z. y:=z  [Formula 103]

When a is a fixed value, Formula 104 denotes an event that a machine (algorithm) A outputs a on input x. A(x)→a  [Formula 104]

For example, A(x)→1

Formula 105, namely, F_(q), denotes a finite field of order q.

_(q)  [Formula 105]

A vector symbol denotes a vector representation over the finite field F_(q). Namely, Formula 106 is established. {right arrow over (x)} denotes (x ₁ , . . . ,x _(n))ε

_(q) ^(n)  [Formula 106]

Formula 107 denotes the inner-product, indicated in Formula 109, of two vectors x^(→) and v^(→) indicated in Formula 108. {right arrow over (x)}·{right arrow over (v)}  [Formula 107] {right arrow over (x)}=(x ₁ , . . . ,x _(n)) {right arrow over (v)}=(v ₁ , . . . ,v _(n))[Formula 108] Σ_(i=1) ^(n) x _(i) v _(i)  [Formula 109]

Note that X^(T) denotes the transpose of matrix M.

When b_(i) (i=1, n) is an element of a vector of a space V, namely, when Formula 110 is established, Formula 111 denotes a subspace generated by Formula 112. b _(i)ε

(i=1, . . . ,n)  [Formula 110] span

b₁ , . . . ,b _(n)

⊂

(resp. span

{right arrow over (x)} ₁ , . . . ,{right arrow over (x)} _(n)

)  [Formula 111] b ₁ , . . . , b _(n) (resp. {right arrow over (x)} ₁ , . . . , {right arrow over (x)} _(n))  [Formula 112]

Note that for bases B and B* indicated in Formula 113, Formula 114 is established.

:=(b ₁ , . . . b _(N)),

*:=(b ₁ *, . . . ,b _(N)*)  [Formula 113] (x ₁ , . . . ,x _(N))

:=Σ_(i=1) ^(N) x _(i) b _(i), (y ₁ , . . . ,y _(N))

*:=Σ_(i=1) ^(N) y _(i) b _(i)*  [Formula 114]

In the following description, in param_(v0), V0 represents V₀.

Likewise, nt in F_(q) ^(nt) represents n_(t).

Likewise, xt in sk_(gtd,(t,xt)) represents x_(t).

Likewise, when “δi,j” is indicated as a superscript, δi,j is δ_(i,j).

When “→” indicating a vector is attached to a subscript or superscript, “→” is attached as a superscript to the subscript or superscript.

In the following description, a signature process includes a key generation process, a signature process, and a verification process.

Embodiment 1

This embodiment describes an “attribute-based signature scheme”.

First, an attribute-based signature will be briefly explained.

Second, a space having a rich mathematical structure called “dual pairing vector spaces (DPVS)” which is a space for implementing the attribute-based signature scheme will be described.

Third, a concept for implementing the attribute-based signature scheme will be described. Here, a “span program”, “the inner-product of attribute vectors, and an access structure”, and a “secret distribution scheme (secret sharing scheme)” will be described. Collision resistant hash functions will also be described.

Fourth, an “attribute-based signature scheme” according to this embodiment will be described. Initially, the basic structure of the “attribute-based signature scheme” will be described. Subsequently, the basic structure of a “signature processing system 10” that implements the “attribute-based signature scheme” will be described. Then, the “attribute-based signature scheme” and the “signature processing system 10” according to this embodiment will be described in detail.

<1. Attribute-Based Signature>

The concept of digital signature was introduced in the seminal paper by Diffie and Hellman in 1976. In this concept, a pair comprising a secret signing key sk and a public verification key pk is generated for the signer, and signature a of message m generated using the signing key sk is verified by the corresponding verification key pk. Hence, the signer of the message (m, σ) signed using the signing key sk is identified through the verification key pk.

Although this is one of the requirements of digital signatures, there is no flexibility or privacy in the relationship between signers and claims attested by signatures due to the tight relation between the signing key sk and the verification key pk.

Versatile and privacy-enhanced variants of digital signatures have been studied, where the relation between a signing key and verification key is more flexible or sophisticated.

In this class of signatures, the signing key and verification key are parameterized by attribute x and predicate v, respectively, and signed message (m, generated by the signing key with parameter x, sk_(x), is correctly verified by public key pk and parameter v, if and only if predicate v accepts attribute x (when v(x) holds).

The privacy of signers in this class of signatures requires that a signature for predicate v, generated by the signing key sk_(x) release no information regarding attribute x except that v(x) holds.

When predicate v is the equality with parameter v (i.e., v(x) holds if and only if x=v), the class of signatures for this predicate is ID-based signatures (Identity-Based Signatures, IBS) (see Non-Patent Literature 46).

Here note that there is no room for privacy in the ID-based signatures, since predicate v uniquely identifies attribute x of the signer's secret key sk_(x), such that x=v.

Group signatures are also in this class of signatures (see Non-Patent Literature 19). Group signatures are signatures with predicate v, where v(x) holds if and only if predicate parameter v is the group identity and attribute x is a member identity of group v (or pk_(v) is a public key identifying group v and sk_(x) is a secret key of member x of group v).

Due to the privacy requirement, signatures generated using the secret key sk_(x) release no information regarding member identity x except that x is a member of group v.

This class of signatures includes an attribute-based signature with a more sophisticated predicate (see Non-Patent Literatures 26, 29, 30, 34 to 46, 45, and 51), where x for signing key slc is a tuple of attributes (x₁, . . . , x_(i)), and v for verification is a threshold or access structure predicate.

The widest class of predicates in the existing attribute-based signature scheme are monotone access structures (see Non-Patent Literatures 36 and 37), where predicate v is specified by a monotone span program (M, ρ) (MSP(M, ρ)) along with a tuple of attributes (v₁, . . . , v_(j)), and v(x) holds if and only if MSP (M, ρ) accepts the truth-value vector of (T(x_(i) _(—) ₁=v₁), . . . , T(x_(i) _(—) _(i)=v_(j))). Here, T(ψ):=1 if ψ is true, and T(ψ):=0 if ψ is false. For example, T(x=v):=1 if x=v, and T(x=v):=0 if x≠v.

Such a monotone predicate can express AND, OR, and Threshold gates.

An example of such monotone predicate v for an attribute-based signature will be explained.

An example of such monotone predicate v is (Institute=Univ. A) AND (TH2((Department=Biology), (Gender=Female), (Age=50's)) OR (Position=Professor)), where TH2 means the threshold gate with threshold value 2 (namely, a gate that requires two or more conditions being held).

Attribute x_(A) of Alice is (Institute=Univ. A), (Department=Biology), (Position=Postdoc), (Age=30), (Gender=Female), and attribute x_(B) of Bob is (Institute=Univ. A), (Department=Mathematics), (Position=Professor), (Age=45), (Gender=Male). Although their attributes, x_(A) and x_(B), are quite different, it is clear that v(x_(A)) and v(x_(B)) hold, and that there are many other attributes that satisfy v.

Hence Alice and Bob can generate a signature on this predicate, and due to the privacy requirement of the attribute-based signature, a signature for v releases no information regarding the attribute of the signer, i.e., Alice or Bob (or other), except that the attribute of the signer satisfies the predicate v.

There are many applications of the attribute-based signature such as attributed-based messaging (ABM), attributed-based authentication, trust-negotiation and leaking secrets (see Non-Patent Literatures 36 and 37).

However, there is no attribute-based signature scheme, even one with a low security, for a non-monotone predicate. A non-monotone predicate can express a NOT gate, as with AND, OR, and Threshold gates.

More specifically, with a monotone predicate, although a positive condition can be set, such as (Institute=Univ. A), a negative condition cannot be set, such as (Institute≠Univ. A) (that is, Not(Institute=Univ. A)). In contrast to this, with a non-monotone predicate, a negative condition can be set.

If there are many universities besides Univ. A, it is difficult to set a negative condition of other than Univ. A using only a positive condition (the description becomes complicated). This indicates usefulness of non-monotone predicates.

<2. Dual Pairing Vector Spaces>

First, symmetric bilinear pairing groups will be described.

The symmetric bilinear pairing groups (q, G, G^(T), g, e) are a tuple of a prime q, a cyclic additive group G of order q, a cyclic multiplicative group G^(T) of order q, g≠0εG, and a polynomial-time computable nondegenerate bilinear pairing e:G×G→G_(T). The nondegenerate bilinear pairing signifies e(sg, tg)=e(g, g)^(st), and e(g, g)≠1.

In the following description, let Formula 115 be an algorithm that takes as input 1^(λ) and outputs the values of a parameter param_(G):=(q, G, G_(T), g, e) of bilinear pairing groups with a security parameter λ.

_(bpg)  [Formula 115]

Dual pairing vector spaces will now be described.

Dual pairing vector spaces (q, V, G_(T), A, e) can be constituted by a direct product of symmetric bilinear pairing groups (param_(G):=(q, G, G_(T), g, e)). The dual pairing vector spaces (q, V, G_(T), A, e) are a tuple of a prime q, an N-dimensional vector space V over F_(q) indicated in Formula 116, a cyclic group G_(T) of the order q, and a canonical basis A:=(a₁, . . . , a_(N)) of the space V, and have the following operations (1) and (2) where a_(i) is as indicated in Formula 117.

$\begin{matrix} {{\mathbb{V}}:=\overset{\overset{N}{︷}}{{\mathbb{G}} \times \ldots \times {\mathbb{G}}}} & \left\lbrack {{Formula}\mspace{14mu} 116} \right\rbrack \\ {a_{i}:=\left( {{\overset{\overset{i - 1}{︷}}{0,\ldots\mspace{14mu},0,}g},\overset{\overset{N - i}{︷}}{0,\ldots\mspace{14mu},0}} \right)} & \left\lbrack {{Formula}\mspace{14mu} 117} \right\rbrack \end{matrix}$

Operation (1): Nondegenerate Bilinear Pairing

The pairing on the space V is defined by Formula 118. e(x,y):=Π_(i=1) ^(N) e(G _(i) ,H _(i))ε

_(T)  [Formula 118] where (G ₁ , . . . ,G _(N)):=Xε

, (H ₁ , . . . ,H _(N)):=yε

This is nondegenerate bilinear, i.e., e(sx, ty)=e(s, y)^(st) and if e(x, y)=1 for all yεV, then x=0. For all i and j, e(a_(i), a_(j))=e(g, g)^(δi,j) where δ_(i,j)=1 if i=j, and δ_(i,j)=0 if i≠j. Also, e(g, g)≠1εG_(T).

Operation (2): Distortion Maps

Linear transformation φ_(i,j) on the space V indicated in Formula 119 can achieve Formula 120.

$\begin{matrix} {{{\phi_{i,j}\left( a_{j} \right)} = a_{i}}{{{{if}\mspace{14mu} k} \neq {j\mspace{14mu}{then}\mspace{14mu}{\phi_{i,j}\left( a_{k} \right)}}} = 0}} & \left\lbrack {{Formula}\mspace{14mu} 119} \right\rbrack \\ {{{\phi_{i,j}(x)}:=\left( {\overset{\overset{i - 1}{︷}}{0,\ldots\mspace{14mu},0},g_{j},\overset{\overset{N - i}{︷}}{0,\ldots\mspace{14mu},0}} \right)}{{Note}\mspace{14mu}{that}}{x:=\left( {g_{1},{\ldots\mspace{14mu} g_{N}}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 120} \right\rbrack \end{matrix}$

Linear transformation φ_(i,j) will be called distortion maps.

In the following description, let Formula 121 be an algorithm that takes as input, 1^(λ) (λεnatural number), Nεnatural number, and the values of the parameter param_(G):=(q, G, G_(T), g, e) of bilinear pairing groups, and outputs the values of a parameter param_(v):=(q, V, G_(T), A, e) of dual pairing vector spaces which have a security parameter λ and which form an N-dimensional space V.

_(dpvs)  [Formula 121]

A case will be described where dual pairing vector spaces are constructed from the symmetric bilinear pairing groups described above. Dual pairing vector spaces can be constructed from asymmetric bilinear pairing groups as well. The following description can be easily applied to a case where dual pairing vector spaces are constructed from asymmetric bilinear pairing groups.

<3. Concept for Implementing Attribute-Based Signature Scheme>

<3-1. Span Program>

FIG. 1 is an explanatory drawing of a matrix M^.

Let {p₁, . . . , p_(n)} be a set of variables. M^:=(M, ρ) is a labeled matrix where the matrix M is an (L rows×r columns) matrix over F_(q), and ρ is a label of each row of the matrix M and is related to one of literals {p₁, . . . , p_(n),

p₁, . . . ,

p_(n)}. A label ρ_(i) (i=1, . . . , L) of every row of M is related to one of the literals, namely, ρ: {1, . . . , L}→{p₁, . . . , p_(n),

p₁, . . . ,

p_(n)}.

For every input sequence δε{0, 1}^(n), a submatrix M_(δ) of the matrix M is defined. The matrix M_(δ) is a submatrix consisting of those rows of the matrix M, whose labels ρ are related to value “1” by the input sequence δ. Namely, the matrix M_(δ) is a submatrix consisting of the rows of the matrix M which are related to p_(i) with which δ_(i)=1 and the rows of the matrix M which are related to

p_(i) with which δ_(i)=0.

FIG. 2 is an explanatory drawing of the matrix M_(δ). Note that in FIG. 2, n=7, L=6, and r=5. That is, the set of variables is {p₁, . . . , p₇}, and the matrix M is a (6 rows×5 columns) matrix. In FIG. 2, assume that the labels ρ are related such that ρ₁ corresponds to

p₂, ρ₂ to p₁, ρ₃ to p₄, ρ₄ to

p₅, ρ₅ to

p₃, and ρ₆ to

p₅.

Assume that in an input sequence δε{0,1}⁷, δ₁=1, δ₂=0, δ₃=1, δ₄=0, δ₅=0, δ₆=1, and δ₇=1. In this case, a submatrix consisting of the rows of the matrix M which are related to literals (p₁, p₃, p₆, pγ_(i)

₂,

p₄,

p₅) surrounded by broken lines is the matrix M_(δ). That is, the submatrix consisting of the 1st row (M₁), 2nd row (M₂), and 4th row (M₄) of the matrix M is the matrix M_(δ).

In other words, when map γ:{1, . . . , L}→{0, 1} is [ρ(j)=p_(i)]

[δ_(i)=1] or [ρ(j)=

p_(i)]

[δ_(i)=0], then γ(j)=1; otherwise γ(j)=0. In this case, M_(δ):=(M_(j))_(γ(j)=1). Note that M_(j) is the j-th row of the matrix M.

That is, in FIG. 2, map γ(j)=1 (j=1, 2, 4), and map γ(j)=0 (j=3, 5, 6). Hence, (M_(j))_(γ(j)=1) is M₁, M₂, and M₄, and the matrix M_(δ).

More specifically, whether or not the j-th row of the matrix M is included in the matrix M_(δ) is determined by whether the value of the map γ(j) is “0” or “1”.

The span program M^accepts an input sequence δ if and only if 1^(→)εspan<M_(δ)>, and rejects the input sequence δ otherwise. Namely, the span program M^ accepts the input sequence δ if and only if linear combination of the rows of the matrix M_(δ) which are obtained from the matrix M^ by the input sequence δ gives 1^(→). 1^(→) is a row vector which has value “1” in each element.

For example, in FIG. 2, the span program M^ accepts the input sequence δ if and only if linear combination of the respective rows of the matrix M_(δ) consisting of the 1st, 2nd, and 4th rows of the matrix M gives 1^(→). That is, if there exist α₁, α₂, and α₄ with which α₁ (M₁)+α₂(M₂)+α₄(M₄)=1^(→), the span program M^ accepts the input sequence δ.

The span program is called monotone if its labels ρ are related to only positive literals {p₁, . . . , p_(n)}. The span program is called non-monotone if its labels ρ are related to the literals {p₁, . . . , p_(n),

p₁, . . .

p_(n)}. Suppose that the span program is non-monotone. An access structure (non-monotone access structure) is constituted using the non-monotone span program.

Because the span program is not monotone but non-monotone as described above, the application of the attribute-based signature scheme constituted using the span program widens.

<3-2. Inner-Product of Attribute Vectors and Access Structure>

Map γ(j) described above will be calculated using the inner-product of attribute vectors. Namely, which row of the matrix M is to be included in the matrix M_(δ) will be determined using the inner-product of the attribute vectors.

U_(t) (t=1, . . . , d and U_(t)⊂{0, 1}*) is a sub-universe and an attribute set. Each U_(t) includes identification information (t) of the sub-universe and n_(t)-dimensional vector (v^(→)). Namely, U_(t) is (t, v^(→)) where tε{1, . . . , d} and v^(→)εF_(q) ^(nt).

Let U_(t):=(t, v^(→)) be a variable p of the span program M^:=(M, ρ), that is, p:=(t, v^(→)). Let the span program M^:=(M, ρ) having the variable (p:=(t, v^(→)), (t′, v′^(→)), . . . ) be an access structure S.

That is, the access structure S:=(M, ρ), and ρ: {1, . . . , L}→{(t v^(→)), (t′, v′^(→)), . . . ,

(t, v^(→)),

(t′,v′^(→)), . . . }.

Let Γ be an attribute set, that is, Γ:={(t, x^(→) _(t))|x^(→) _(q)εF_(q) ^(nt), 1≦t≦d}.

When Γ is given to the access structure S, map γ: {1, . . . , L}→{0, 1} for the span program M^:=(M, ρ) is defined as follows. For each integer i=1, . . . , L, set γ(i)=1 if [ρ(i)=(t, v^(→) _(i))]

[(t, x^(→) _(t))]εΓ

[v^(→) _(i)·x^(→) _(t)=0] or [ρ(i)=

(t, v^(→) _(i))]

[(t, x^(→) _(t))εΓ]

[v^(→) _(i)·x^(→) _(t)≠0]. Set γ(i)=0 otherwise.

Namely, the map γ is calculated based on the inner-product of the attribute vectors v^(→) and x^(→). As described above, which row of the matrix M is to be included in the matrix M_(δ) is determined by the map γ. More specifically, which row of the matrix M is to be included in the matrix M_(δ) is determined by the inner-product of the attribute vectors v^(→) and x^(→). The access structure S:=(M, ρ) accepts Γ if and only if 1^(→)εspan<M_(i))_(γ(i)=1)>.

A simpler form of the inner-product relations in the above-mentioned access structures is obtained when n_(t)=2 for all tε{1, . . . , d}, and x^(→):=(1, x) and v^(→):=(v,−1).

In this case, (t, x^(→) _(t)):=(t, (1, x)) and (t, v^(→) _(i)):=(t, (v_(i),−1)), which will be simplified as (t, x_(t)) and (t, v_(i)). Then, the access structure S is S:=(M, ρ) such that ρ: {1, . . . , L}→{(t, v), (t′, v′), . . .

(t, v),

(t′, v′), . . . } (v, v′, . . . εF_(q)), and the attribute set Γ is Γ:={(t, x_(t))|x_(t)εF_(q), 1≦t≦d}.

When Γ is given to the access structure S, map γ: {1, . . . , L}→{0, 1} for the span program M^:=(M, ρ) is defined as follows: For each integer i=1, . . . , L, set γ(i)=1 if [ρ(i)=(t, v_(i))]

[(t, x_(t))εΓ]

[v_(i)=x_(t)] or [ρ(i)=

(t, v_(i))]

[(t, x_(t))εΓ]

[v_(i)≠x_(t)]. Set γ(i)=0 otherwise.

<3-3. Secret Distribution Scheme>

A secret distribution scheme for the access structure S:=(M, ρ) will be described.

The secret distribution scheme is distributing secret information to render it nonsense distributed information. For example, secret information s is let to be distributed among 10 lumps to generate 10 pieces of distributed information. Each of the 10 pieces of distributed information does not have information on secret information s. Hence, even when certain one piece of distributed information is obtained, no information can be obtained on the secret information s. On the other hand, if all of the 10 pieces of distributed information are obtained, the secret information s can be recovered.

Another secret distribution scheme is also available according to which even when all of the 10 pieces of distributed information cannot be obtained, if one or more, but not all, (for example, 8 pieces) of distributed information can be obtained, then the secret information s can be recovered. A case like this where the secret information s can be recovered using 8 pieces out of 10 pieces of distributed information will be called 8-out-of-10. That is, a case where the secret information s can be recovered using t pieces out of n pieces of distributed information will be called t-out-of-n. This t will be called a threshold.

Still another secret distribution scheme is available according to which when 10 pieces of distributed information d₁, . . . , d₁₀ are generated, the secret information s can be recovered if 8 pieces of distributed information d₁, . . . , d₈ are given, but cannot if 8 pieces of distributed information d₃, . . . , d₁₀ are given. Namely, this is a secret distribution scheme with which whether or not the secret information s can be recovered is controlled not only by the number of pieces of distributed information obtained but also depending on the combination of the distributed information.

FIG. 3 is an explanatory drawing of s₀. FIG. 4 is an explanatory drawing of s^(→T).

Let a matrix M be an (L rows×r columns) matrix. Let f^(→) be a column vector indicated in Formula 122.

$\begin{matrix} {{\overset{->}{f}}^{T}:={\left( {f_{1},{\ldots\mspace{14mu} f_{r}}} \right)^{T}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{r}}} & \left\lbrack {{Formula}\mspace{14mu} 122} \right\rbrack \end{matrix}$

Let s₀ indicated in Formula 123 be secret information to be shared. s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T):=Σ_(k=1) ^(r) f _(k)  [Formula 123]

Let s^(→T) indicated in Formula 124 be a vector of L pieces of distributed information of s₀. {right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrow over (f)} ^(T)  [Formula 124]

Let the distributed information s, belong to ρ(i).

If the access structure S:=(M, ρ) accepts Γ, that is, 1^(→)εspan<(M_(i))_(γ(i)1=1)> for γ: {1, . . . , L}→{0. 1}, then there exist constants {α_(i)εF_(q)|iεI} such that I⊂{iε{1, . . . , L}|γ(i)=1}.

This is obvious from the explanation on FIG. 2 in that if there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(K)=1^(→), the span program M^ accepts the input sequence δ. Namely, if the span program M^ accepts the input sequence δ when there exist α₁, α_(z), and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→), then there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→).

Note Formula 125. Σ_(iεI)α_(i) s _(i) :=s ₀  [Formula 125]

Note that the constants {α_(i)} can be computed in time polynomial in the size of the matrix M.

With the attribute-based signature scheme according to this and the following embodiments, an access structure is constructed by applying the inner-product predicate and the secret distribution scheme to the span program, as described above. Therefore, access control can be designed flexibly by designing the matrix M in the span program and the attribute information x and the attribute information v (predicate information) in the inner-product predicate. Namely, access control can be designed very flexibly. Designing of the matrix M corresponds to designing of conditions such as the threshold of the secret distribution scheme.

In particular, the access structure in the attribute-based signature scheme according to this and the following embodiments constitutes a non-monotone access structure that uses a non-monotone span program. Namely, the attribute-based signature scheme according to this and the following embodiments is a signature scheme with non-monotone predicates. Thus, the flexibility in the access control design further improves.

<3-4. Collision Resistance Hash Function>

A collision resistance hash function is a hash function which is difficult to find two inputs that hash to the same output.

Let a natural number X be a security parameter. A collision resistant hash function family H associated with algorithm G_(bpg), and a polynomial poly(λ) specify two items:

1. A family of key spaces is indexed by λ. Each such key space is a probability space on bit strings denoted by KH_(λ). There must exist a probabilistic polynomial-time algorithm whose output distribution on input 1^(λ) is equal to KH_(λ).

2. A family of hash functions is indexed by λ, hk randomly selected from KH_(λ), and D:={0, 1}^(poly(λ)), where each such function H_(bk) ^(λ,D) maps an element of D to an element of F_(q) ^(x) with q being the first element of output param_(G) of algorithm G_(bpg)(1^(λ)). There must exist a deterministic polynomial-time algorithm that on input 1^(λ), hk and dεD, outputs H_(hk) ^(λ,D)(d).

Let ε be a probabilistic polynomial-time machine. For all λ, Formula 126 is defined:

$\begin{matrix} {{{{Adv}_{ɛ}^{H,{CR}}(\lambda)}:={\Pr\left\lbrack {{\left( {d_{1},d_{2}} \right) \in {{D^{2}\bigwedge d_{1}} \neq {d_{2}\bigwedge{H_{hk}^{\lambda,D}\left( d_{1} \right)}}}} = {H_{hk}^{\lambda,D}\left( d_{2} \right)}} \right\rbrack}}\mspace{79mu}{where}\mspace{79mu}{D:={\left\{ {0,1} \right\}{poly}\;(\lambda)}}\mspace{79mu}{{hk}\overset{R}{\longleftarrow}{KH}_{\lambda}}\mspace{79mu}{\left( {d_{1},d_{2}} \right)\overset{R}{\longleftarrow}{ɛ\left( {1^{\lambda},{hk},D} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 126} \right\rbrack \end{matrix}$

H is a collision resistant hash function family if for any probabilistic polynomial-time adversary ε, Adv_(ε) ^(H,CR)(λ) is negligible.

<4. Structure of Attribute-Based Signature Scheme>

<4-1. Basic Structure of Attribute-Based Signature Scheme>

The attribute-based signature scheme consists of four algorithms: Setup, KeyGen, Sig, and Ver.

(Setup)

A Setup algorithm is a randomized algorithm that takes as input a security parameter λ and an attribute format n^(→):=((d; n_(t), u_(t), w_(t), z_(t) (t=1, . . . d)), and outputs a public parameter pk and a master key sk.

(KeyGen)

A KeyGen algorithm is a randomized algorithm that takes as input an attribute set Γ:={(t, x^(→) _(t))|x^(→) _(t)εF_(q) ^(nt)\{0^(→)}1≦t≦d}, the public parameter pk, and the master key sk, and outputs a signing key sk_(Γ).

(Sig)

A Sig algorithm is a randomized algorithm that takes as input a message m, an access structure S:=(M, ρ) that accepts the attribute set Γ, the signing key sk_(Γ), and the public parameter pk, and outputs signature data σ including a signature s^(→)*, the message in, and the access structure S.

(Ver)

A Ver algorithm is an algorithm that takes as input the signature data σ and the public parameter pk, and outputs Boolean value 1 (accept) or 0 (reject).

With the attribute-based signature scheme, for every public parameter pk and master key sk indicated in Formula 127, every message m, every attribute set Γ, every signing key sk_(Γ) indicated in Formula 128, every access structure S that accepts the attribute set Γ, and every signature data σ indicated in Formula 129, 1=Ver(pk, m, S, σ) holds with probability 1.

$\begin{matrix} {\left( {{pk},{sk}} \right)\overset{R}{\longleftarrow}{{Setup}\left( {1^{\lambda},\overset{->}{n}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 127} \right\rbrack \\ {{sk}_{\Gamma}\overset{R}{\longleftarrow}{{KeyGen}\left( {{pk},{sk},\Gamma} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 128} \right\rbrack \\ {\sigma\overset{R}{\longleftarrow}{{Sig}\left( {{pk},{sk}_{\Gamma},m,{\mathbb{S}}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 129} \right\rbrack \end{matrix}$

<4-2. Signature Processing System 10>

A signature processing system 10 that executes the algorithms of the attribute-based signature scheme described above will be described.

FIG. 5 is a configuration diagram of the signature processing system 10 which executes the attribute-based signature scheme.

The signature processing system 10 is provided with a key generation device 100, a signature device 200, and a verification device 300.

The key generation device 100 executes the Setup algorithm by taking as input a security parameter λ, and an attribute format n^(→):=((d; n_(t), u_(t), w_(t), z_(t) (t=1, . . . , d)), and generates a public parameter pk and a master key sk. The key generation device 100 publicizes the generated public parameter pk. The key generation device 100 also executes the KeyGen algorithm by taking as input the attribute set Γ:={(t, x^(→) _(t))|x^(→) _(t)εF_(q) ^(nt)\{0^(→)}, 1≦t≦d}, the public parameter pk, and the master key sk, and generates a signing key sk_(Γ) and distributes it to the signature device 200 in secrecy.

The signature device 200 executes the Sig algorithm by taking as input a message m, an access structure S:=(M, ρ) that accepts the attribute set Γ, the signing key sk_(Γ), and the public parameter pk, and generates signature data σ including a signature s^(→)*, the message m, and the access structure S. The signature device 200 transmits the generated signature data σ to the verification device 300.

The verification device 300 executes the Ver algorithm by taking as input the signature data σ and the public parameter pk, and outputs Boolean value 1 (accept) or 0 (reject).

<4-3. Attribute-Based Signature Scheme and Signature Processing System 10 in Detail>

The attribute-based signature scheme, and the function and operation of the signature processing system 10 which executes the attribute-based signature scheme will be described with reference to FIGS. 6 to 12.

FIG. 6 is a function block diagram showing the function of the key generation device 100. FIG. 7 is a function block diagram showing the function of the signature device 200. FIG. 8 is a function block diagram showing the function of the verification device 300.

FIGS. 9 and 10 are flowcharts showing the operation of the key generation device 100. Note that FIG. 9 is a flowchart showing the process of the Setup algorithm, and that FIG. 10 is a flowchart showing the process of the KeyGen algorithm. FIG. 11 is a flowchart showing the operation of the signature device 200 and the process of the Sig algorithm. FIG. 12 is a flowchart showing the operation of the verification device 300 and the process of the Ver algorithm.

The function and operation of the key generation device 100 will be described.

As shown in FIG. 6, the key generation device 100 is provided with a master key generation part 110, a master key storage part 120, an information input part 130 (first information input part), a signing key generation part 140, and a key distribution part 150 (signing key transmission part).

The signing key generation part 140 is provided with a random number generation part 141, a key element 0 generation part 142, a key element t generation part 143, and a key element d+1 generation part 144.

In the following description, H:=(KH_(λ), H_(hk) ^(λ,D)) is a collision resistant hash function family described above.

The process of the Setup algorithm executed by the key generation device 100 will be described first with reference to FIG. 9.

(S101: Orthogonal Basis Generation Step)

The master key generation part 110 calculates Formula 130 with the processing device to randomly generate the param_(n→), and bases B_(t) and B*_(t) for each integer t=0, . . . , d+1.

$\begin{matrix} {\left\lbrack {{Formula}\mspace{14mu} 130} \right\rbrack{{{input}\mspace{14mu} 1^{\lambda}},{\overset{->}{n}:={\left( {{d;n_{t}},u_{t},w_{t},z_{t}} \right)\left( {{t = 0},\ldots\mspace{14mu},{d + 1}} \right)}}}} & \begin{matrix} \; \\ (1) \end{matrix} \\ {{param}_{\mathbb{G}}:={\left( {q,{\mathbb{G}},{\mathbb{G}}_{T},g,e} \right)\overset{R}{\longleftarrow}{\mathcal{G}_{bpg}\left( 1^{\lambda} \right)}}} & (2) \\ {{{\psi\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{x}},{N_{t}:={{n_{t} + u_{t} + w_{t} + {z_{t}\mspace{14mu}{for}\mspace{14mu} t}} = 0}},\ldots\mspace{14mu},{d + 1}}{{{For}\mspace{14mu}{each}\mspace{14mu} t\mspace{14mu}{of}\mspace{14mu} t} = 0},\ldots\mspace{14mu},{d + 1},{{the}\mspace{14mu}{processes}\mspace{14mu}(4)\mspace{14mu}{to}\mspace{14mu}(8)\mspace{14mu}{are}\mspace{14mu}{{executed}.}}} & (3) \\ {{param}_{{\mathbb{V}}_{t}}:={\left( {q,{\mathbb{V}}_{t},{\mathbb{G}}_{T},{\mathbb{A}}_{t},e} \right):={\mathcal{G}_{dpvs}\left( {1^{\lambda},N_{t},{param}_{\mathbb{G}}} \right)}}} & (4) \\ {X_{t}:={\left( \chi_{t,i,j} \right)_{i,j}\overset{U}{\longleftarrow}{{GL}\left( {N_{t},{\mathbb{F}}_{q}} \right)}}} & (5) \\ {\left( v_{t,i,j} \right)_{i,j}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}} & (6) \\ {{b_{t,i}:={\left( {\chi_{t,i,1},\ldots\mspace{14mu},\chi_{t,i,N_{t}}} \right)_{{\mathbb{A}}_{t}} = {\sum\limits_{j = 1}^{N_{t}}{\chi_{t,i,j}a_{t,j}}}}},{{\mathbb{B}}_{t}:=\left( {b_{t,1},\ldots\mspace{14mu},b_{t,N_{t}}} \right)}} & (7) \\ {{b_{t,i}^{*}:={\left( {v_{t,i,1},\ldots\mspace{14mu},v_{t,i,N_{t}}} \right)_{{\mathbb{A}}_{t}} = {\sum\limits_{j = 1}^{N_{t}}{v_{t,i,j}a_{t,j}}}}},{{\mathbb{B}}_{t}^{*}:=\left( {b_{t,1}^{*},\ldots\mspace{14mu},b_{t,N_{t}}^{*}} \right)}} & (8) \\ {{g_{T}:={{e\left( {g,g} \right)}\psi}}\;{{param}_{\overset{->}{n}}:=\left( {\left\{ {param}_{{\mathbb{V}}_{t}} \right\}_{{t = 0},\ldots\mspace{14mu},{d + 1},}g_{T}} \right)}} & (9) \end{matrix}$

Namely, the master key generation part 110 executes the following processes.

(1) With the input device, the master key generation part 110 takes as input a security parameter λ (1^(λ)) and the attribute format n^(→):=((d; n_(t), u_(t), w_(t), z_(t) (t=0, . . . , d+1)), where d is an integer of 1 or more, and n_(t) is 1 for t=0, an integer of 1 or more for each integer t=1, . . . , d, and 2 for t=d+1. Each of u_(t), w_(t), and z_(t) is an integer of 1 or more for each integer t=0, . . . , d+1.

(2) With the processing device, the master key generation part 110 executes algorithm G_(bpg) by taking as input the security parameter λ (1^(λ)) inputted in (1), and randomly generates the values of a parameter param_(G):=(q, G, G_(T), g, e) of the bilinear pairing group.

(3) With the processing device, the master key generation part 110 generates a random number ψ, and sets n_(t)+u_(t)+w_(t)+z_(t) in N_(t) for each integer t=0, . . . , d+1.

Subsequently, the master key generation part 110 executes the processes of the following (4) to (8) for each integer t=0, . . . , d+1.

(4) With the processing device, the master key generation part 110 executes algorithm G_(dpvs) by taking as input the security parameter λ (1^(λ)) inputted in (1), N_(t) set in (3), and the values of param_(G):=(q, G, G_(T), g, e) generated in (2), and generates the values of parameter param_(Vt):=(q, V_(t), G_(T), A_(t), e) of the dual pairing vector spaces.

(5) With the processing device, the master key generation part 110 takes as input N_(t) set in (3), and F_(q), and generates linear transformation X_(t):=(χ_(t,i,j))_(i,j) randomly. Note that GL stands for General Linear. Namely, GL is a general linear group, a set of square matrices in which the determinant is not 0, and a group with respect to multiplication. Note that (χ_(t,i,j))_(i,j) signifies a matrix concerning the suffixes i and j of the matrix χ_(t,i,j) where i, j=1, . . . , n_(t).

(6) With the processing device and based on the random number ψ and linear transformation X_(t), the master key generation part 110 generates (ν_(t,i,j))_(i,j):=ψ·(X_(t) ^(T))⁻¹. As (χ_(t,i,j))_(i,j) does, (ν_(t,i,j))_(i,j) signifies a matrix concerning the suffixes i and j of the matrix ν_(t,i,j) where i, j=1, . . . , n_(t).

(7) With the processing device and based on the linear transformation X_(t) generated in (5), the master key generation part 110 generates the basis B_(t) from the canonical basis A_(t) generated in (4).

(8) With the processing device and based on (ν_(t,i,j))_(i,j) generated in (6), the master key generation part 110 generates the basis B*_(t) from the canonical basis A_(t) generated in (4).

(9) With the processing device, the master key generation part 110 sets e(g, g)^(ψ) in g_(T). The master key generation part 110 also sets {param_(Vt)}_(t=0, . . . , d+1) generated in (4), and g_(T), in param_(n→). Note that g_(T)=e(b_(t,i), b*_(t,i)) for each integer t=0, . . . , d+1 and each integer i=1, . . . , N_(t).

In brief, in (S101), the master key generation part 110 executes the algorithm G_(ob) indicated in Formula 131, and generates param_(n→), and the bases B_(t) and B*_(t) for each integer t=0, . . . , d+1.

$\begin{matrix} {\mspace{79mu}{{{{{\mathcal{G}_{ob}\left( {1^{\lambda},{\overset{->}{n}:={\left( {{d;n_{t}},u_{t},w_{t},z_{t}} \right)\left( {{t = 0},\ldots\mspace{14mu},{d + 1}} \right)}}} \right)}:\mspace{79mu}{param}_{\mathbb{G}}}:={\left( {q,{\mathbb{G}},{\mathbb{G}}_{T},g,e} \right)\overset{R}{\longleftarrow}{\mathcal{G}_{bpg}\left( 1^{\lambda} \right)}}},\mspace{79mu}{\psi\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{x}},\mspace{79mu}{N_{t}:={{n_{t} + u_{t} + w_{t} + {z_{t}\mspace{14mu}{for}\mspace{14mu} t}} = 0}},\ldots\mspace{14mu},{d + 1},\mspace{79mu}{{{For}\mspace{14mu} t} = 0},\ldots\mspace{14mu},{d + 1},\text{}{{param}_{{\mathbb{V}}_{t}}:={\left( {q,{\mathbb{V}}_{t},{\mathbb{G}}_{T},{\mathbb{A}}_{t},e} \right):={\mathcal{G}_{dpvs}\left( {1^{\lambda},N_{t},{param}_{\mathbb{G}}} \right)}}},\mspace{79mu}{X_{t}:={\left( \chi_{t,i,j} \right)_{i,j}\overset{U}{\longleftarrow}{{GL}\left( {N_{t},{\mathbb{F}}_{q}} \right)}}},\mspace{79mu}{\left( v_{t,i,j} \right)_{i,j}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}},\mspace{79mu}{b_{t,i}:={\left( {\chi_{t,i,1},\ldots\mspace{14mu},\chi_{t,i,N_{t}}} \right)_{{\mathbb{A}}_{t}} = {\sum\limits_{j = 1}^{N_{t}}{\chi_{t,i,j}a_{t,j}}}}},\mspace{79mu}{{\mathbb{B}}_{t}:=\left( {b_{t,1},\ldots\mspace{14mu},b_{t,N_{t}}} \right)},\mspace{79mu}{b_{t,i}^{*}:={\left( {v_{t,i,1},\ldots\mspace{14mu},v_{t,i,N_{t}}} \right)_{{\mathbb{A}}_{t}} = {\sum\limits_{j = 1}^{N_{t}}{v_{t,i,j}a_{t,j}}}}},\mspace{79mu}{{\mathbb{B}}_{t}^{*}:=\left( {{b_{t}^{*}}_{,1},\ldots\mspace{14mu},{b_{t}^{*}}_{,N_{t}}} \right)},\mspace{79mu}{g_{T}:={e\left( {g,g} \right)}^{\psi}},\mspace{79mu}{{param}_{\overset{->}{n}}:=\left( {\left\{ {param}_{{\mathbb{V}}_{t}} \right\}_{{t = 0},\ldots\mspace{14mu},{d + 1},}g_{T}} \right)}}\mspace{79mu}{{return}\mspace{14mu}{\left( {{param}_{\overset{->}{n}},\left\{ {{\mathbb{B}}_{t},{\mathbb{B}}_{t}^{*}} \right\}_{{t = 0},\ldots\mspace{14mu},{d + 1}}} \right).}}}} & \left\lbrack {{Formula}\mspace{14mu} 131} \right\rbrack \end{matrix}$

(S102: Hash Key Generation Step)

With the processing device, the master key generation part 110 calculates Formula 132, to generate a hash key hk randomly.

$\begin{matrix} {{hk}\overset{R}{\longleftarrow}{KH}_{\lambda}} & \left\lbrack {{Formula}\mspace{14mu} 132} \right\rbrack \end{matrix}$

(S103: Public Parameter Generation Step)

With the processing device, the master key generation part 110 generates a subbasis B^₀ of the basis B₀, a subbasis B^_(t) of the basis B_(t) for each integer t=1, . . . , d, and a subbasis B^_(d+1) of the basis B_(d+1), as indicated in Formula 133.

₀:=(b _(0,1) ,b _(0,1+u) ₀ _(+w) ₀ ₊₁ , . . . ,b _(0,1+u) ₀ _(+w) ₀ _(+z) ₀ ),

_(t):=(b _(t,1) , . . . ,b _(t,n) _(t) ,b _(t,n) _(t) _(+w) _(t) ₊₁ , . . . ,b _(t,n) _(t) _(+u) _(t) _(+w) _(t) _(+z) _(t) )t=1, . . . ,d,

_(d+1):=(b _(d+1,1) ,b _(d+1,2) ,b _(d+1,2+u) _(d+1) _(+w) _(d+1) ₊₁ , . . . ,b _(d+1,2+u) _(d+1) _(+w) _(d+1) _(+z) _(d+1) )  [Formula 133]

With the processing device, the master key generation part 110 generates a subbasis B^*_(t) of the basis B*_(t) for each integer t=1, . . . , d, and a subbasis B^*_(d+1) of the basis B*_(d+1), as indicated in Formula 134.

_(t)*:=(b _(t,1) *, . . . ,b _(t,n) _(t) *,b _(t,n) _(t) _(+u) _(t) ₊₁ *, . . . ,b _(t,n) _(t) _(+u) _(t) _(+w) _(t) *),

_(d+1)*:=(b _(d+1,1) *,b _(d+1,2) *,b _(d+1,2+u) _(t) ₊₁ *, . . . ,b _(d+1,2+u) _(t) _(+w) _(t) *)  [Formula 134]

The master key generation part 110 treats the generated subbases B^_(d) (t=0, . . . , d+1) and B^*_(t) (t=1, . . . , d+1), the security parameter λ (1^(λ)) inputted in (S101), param_(n→) generated in (S101), the hash key hk generated in (S102), and basis vectors b*_(0,1+u0+1), . . . , b*_(0,1+u0+w0) (where u0 and w0 respectively represent u₀ and w₀) in combination, as the public parameter pk.

(S104: Master Key Generation Step)

The master key generation part 110 treats a basis vector b*_(0,1) of the basis B*₀, as the master key sk.

(S105: Master Key Storing Step)

The master key storage part 120 stores the public parameter pk generated in (S103), in the storage device. The master key storage part 120 also stores the master key sk generated in (S104), in the storage device.

In brief, from (S101) through (S104), the key generation device 100 generates the public parameter pk and the master key sk by executing the Setup algorithm indicated in Formula 135. Then, in (S105), the key generation device 100 stores the generated public parameter pk and master key sk, in the storage device.

Note that the public parameter is publicized via, e.g., a network, so the signature device 200 and verification device 300 can acquire it.

$\begin{matrix} \begin{matrix} {{{Setup}\left( {1^{\lambda},{\overset{\rightarrow}{n}:={\left( {{d;n_{t}},u_{t},w_{t},z_{t}} \right)\left( {{t = 0},\ldots\mspace{14mu},{d + 1}} \right)}}} \right)}\mspace{79mu}{{{hk}\overset{R}{\longleftarrow}{KH}_{\lambda}},{n_{0}:=1},{n_{d + 1}:=2},\mspace{79mu}{\left( {{param}_{\overset{\_}{n}},\left\{ {{\mathbb{B}}_{t},{\mathbb{B}}_{t}^{*}} \right\}_{{t = 0},\mspace{14mu}\ldots\mspace{14mu},{d + 1}}} \right)\overset{R}{\longleftarrow}{g_{ob}\left( {1^{\lambda},\overset{\_}{n}} \right)}},{{\hat{\mathbb{B}}}_{t}:=\left( {b_{t,1},\ldots\mspace{14mu},b_{t,n_{t}},b_{t,{n_{t} + u_{t} + w_{t} + 1}},\ldots\mspace{14mu},b_{t,{n_{t} + u_{t} + w_{t} + z_{t}}}} \right)}}\mspace{85mu}{for}\mspace{85mu}{{t = 0},\;\ldots\mspace{14mu},{d + 1},\;{{\hat{\mathbb{B}}}_{t}^{*}:=\left( {b_{t,1}^{*},\;\ldots\mspace{14mu},b_{t,n_{t}}^{*},b_{t,{n_{t} + u_{t} + 1}}^{*},\ldots\mspace{14mu},b_{t,{n_{t} + u_{t} + w_{t}}}^{*}} \right)}}\mspace{79mu}{for}\mspace{85mu}{{t = 1},\;\ldots\mspace{14mu},{d + 1},\mspace{79mu}{{sk}:=b_{0,1}^{*}},{{pk}:={{\left( {1^{\lambda},{hk},{param}_{\overset{\_}{n}},\left\{ {\hat{\mathbb{B}}}_{t} \right\}_{{t = 0},\;\ldots\mspace{14mu},{d + 1}},\left\{ {\hat{\mathbb{B}}}_{t}^{*} \right\}_{{t = 1},\mspace{14mu}\ldots\mspace{14mu},{d + 1}},\mspace{79mu} b_{0,{1 + u_{0} + 1}}^{*},\ldots\mspace{14mu},b_{0,{1 + u_{0} + w_{0}}}^{*}} \right).\mspace{79mu}{return}}\mspace{14mu}{sk}}},{{pk}.}}} & \; \end{matrix} & \left\lbrack {{Formula}\mspace{14mu} 135} \right\rbrack \end{matrix}$

The process of the KeyGen algorithm executed by the key generation device 100 will be described with reference to FIG. 10.

(S201: Information Input Step)

With the input device, the information input part 130 takes as input an attribute set Γ:={(t, x^(→) _(t):=(x_(t,i)) (i=1, . . . , n_(t)))|1≦t≦d}. Note that t need not be all of the integers t within the range of 1≦t≦d, but may be at least one of integers t within the range of 1≦t≦d.

(S202: Random Number Generation Step)

With the processing device, the random number generation part 141 generates a random number δ, and random numbers φ₀, φ_(t,ι), φ_(d+1,1,ι), and φ_(d+1,2,ι) (t=1, . . . , d; ι=1, . . . , w_(t)), as indicated in Formula 136.

$\begin{matrix} {{{\delta\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{x}},{{\overset{\rightarrow}{\varphi}}_{0}:={\left( {\varphi_{0,1},\;\ldots\mspace{14mu},\varphi_{0,w_{0}}} \right)\mspace{11mu}\overset{U}{\longleftarrow}\;{\mathbb{F}}_{q}^{w_{0}}}},{{\overset{\rightarrow}{\varphi}}_{t}:={\left( {\varphi_{t,1},\ldots\mspace{14mu},\varphi_{t,w_{t}}} \right)\mspace{11mu}\overset{U}{\longleftarrow}\;{\mathbb{F}}_{q}^{w_{t}}}}}{for}\;{{t = 1},\;\ldots\mspace{14mu},d,{{\overset{\rightarrow}{\varphi}}_{{d + 1},1}:=\left( {\varphi_{{d + 1},1,1},\;\ldots\mspace{14mu},\varphi_{{d + 1},1,w_{d + 1}}} \right)},{{\overset{\rightarrow}{\varphi}}_{{d + 1},2}:={\left( {\varphi_{{d + 1},2,1},\;\ldots\mspace{14mu},\varphi_{{d + 1},2,w_{d + 1}}} \right)\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{w_{d + 1}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 136} \right\rbrack \end{matrix}$

(S203: Key Element 0 Generation Step)

With the processing device, the key element 0 generation part 142 generates a key element k*₀, which is an element of the signing key sk_(Γ), as indicated in Formula 137.

$\begin{matrix} {k_{0}^{*}:={\left( {\delta,\overset{\overset{u_{0}}{︷}}{0^{u_{0}}},\overset{\overset{w_{0}}{︷}}{\varphi_{0,1},\ldots,\varphi_{0,w_{0}}},\overset{\overset{z_{0}}{︷}}{0^{z_{0}}}} \right){\mathbb{B}}_{0}^{*}}} & \left\lbrack {{Formula}\mspace{14mu} 137} \right\rbrack \end{matrix}$

As described above, for the bases B and B* indicated in Formula 113, Formula 114 is established. Hence, Formula 137 means that the coefficient for the basis vector of a basis B*₀ is set as described below. For the purpose of simple representation, a basis vector b*_(0,i) is specified only by its i portion. For example, a basis vector 1 signifies a basis vector V_(0,1). Basis vectors 1, . . . , 3 signify basis vectors b*_(0,1), . . . , V_(0,3), respectively.

The random number δ is set as the coefficient for the basis vector 1 of the basis B*₀. 0 is set as the coefficient for basis vectors 1+1, . . . , 1+u₀. Random numbers φ_(0,1), . . . , φ_(0,w0) (where w0 represents w₀) are each set as the coefficient for basis vectors 1+u₀+1, . . . , 1+u₀+w₀. 0 is set as the coefficient for basis vectors 1+u₀+w₀+1, . . . , 1+u₀+w₀+z₀.

(S204: Key Element t Generation Step)

With the processing device, the key element t generation part 143 generates a key element k*, which is an element of the signing key sk_(Γ), for each integer t of (t, x^(→) _(t)) included in the attribute set Γ, as indicated in Formula 138.

$\begin{matrix} {{k_{t}^{*}:={\left( {\overset{\overset{n_{t}}{︷}}{{\delta\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)},}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\overset{\overset{w_{t}}{︷}}{\varphi_{t,1},\ldots\mspace{14mu},\varphi_{t,w_{t}},}\overset{\overset{z_{t}}{︷}}{0^{z_{t}}}} \right){\mathbb{B}}_{t}^{*}}}\;{for}\text{}\;{\left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 138} \right\rbrack \end{matrix}$

More specifically, as Formula 137 does, Formula 138 means that the coefficient for the basis vector of a basis B*_(t) is set as described below. For the purpose of simple representation, a basis vector b*_(t,i) is specified only by its i portion. For example, a basis vector 1 signifies a basis vector b*_(t,1). Basis vectors 1, . . . , 3 signify basis vectors b*_(t,1), . . . , b*_(t,3), respectively.

δx_(t,1), . . . , δx_(t,nt) (where nt represents n_(t)) are each set as the coefficient for the basis vectors 1, . . . , n_(t). 0 is set as the coefficient for basis vectors n_(t)+1, . . . , n_(t)+u_(t). Random numbers φ_(t,t), . . . , φ_(t,wt) (where wt represents w_(t)) are each set as the coefficient for basis vectors n_(t)+u_(t)+1, . . . , n_(t)+u_(t)+w_(t). 0 is set as the coefficient for basis vectors n_(t)+u_(t)+w_(t)+1, . . . , n_(t)+u_(t)+w_(t)+z_(t).

(S205: Key Element d+1 Generation Step)

With the processing device, the key element d+1 generation part 144 generates a key element k*_(d+1,1) and a key element k*_(d+1,2), which are elements of the signing key sk_(Γ), as indicated in Formula 139.

$\begin{matrix} {{k_{{d + 1},1}^{*}:={\left( {\overset{\overset{2}{︷}}{{\delta\left( {1,0} \right)},}\overset{\overset{u_{d + 1}}{︷}}{0^{u_{d + 1}},}\overset{\overset{w_{d + 1}}{︷}}{\varphi_{{d + 1},1,1},\ldots,\varphi_{{d + 1},1,w_{d + 1}},}\overset{\overset{z_{d + 1}}{︷}}{o^{z_{d + 1}}}} \right){\mathbb{B}}_{d + 1}^{*}}},{k_{{d + 1},2}^{*}:={\left( {\overset{\overset{2}{︷}}{{\delta\left( {0,1} \right)},}\overset{\overset{u_{d + 1}}{︷}}{0^{u_{d + 1}},}\overset{\overset{w_{d + 1}}{︷}}{\varphi_{{d + 1},2,1},\ldots,\varphi_{{d + 1},2,w_{d + 1}},}\overset{\overset{z_{d + 1}}{︷}}{o^{z_{d + 1}}}} \right){\mathbb{B}}_{d + 1}^{*}}}} & \left\lbrack {{Formula}\mspace{14mu} 139} \right\rbrack \end{matrix}$

Namely, as Formula 137 does, Formula 139 means that the coefficient for the basis vector of the basis B*_(d+1) is set as described below. For the purpose of simple representation, a basis vector b*_(d+1,i) is specified only by its i portion. For example, a basis vector 1 signifies a basis vector b*_(d+1,1). Basis vectors 1, . . . , 3 signify basis vectors b*_(d+1,1), . . . , b*_(d+1,3), respectively.

First, regarding the key element k*_(d+1,1), the random number δ is set as the coefficient for the basis vector 1. 0 is set as the coefficient for the basis vector 2. 0 is set as the coefficient for basis vectors 2+1, . . . , 2+u_(d+1). Random numbers φ_(d+1,1,1), . . . , φ_(d+1,1,wd+1) (where wd+1 represents w_(d+1)) are each set as the coefficient for basis vectors 2+u_(d+1)+1, . . . , 2+u_(d+1)+w_(d+1). 0 is set as the coefficient for basis vectors 2+u_(d+1)+w_(d+1)+1, . . . , 2+u_(d+1)+w_(d+1)+z_(d+1).

Regarding the key element k*_(d+1,2), 0 is set as the coefficient for the basis vector 1. The random number δ is set as the coefficient for the basis vector 2. 0 is set as the coefficient for basis vectors 2+1, . . . , 2+u_(d+1). Random numbers θ_(d+1,2,1), . . . , φ_(d+1,2,wd+1) (where wd+1 represents w_(d+1)) are each set as the coefficient for basis vectors 2+u_(d+1)+1, . . . , 2+u_(d+1)+w_(d+1). 0 is set as the coefficient for basis vectors 2+u_(d+1)+w_(d+1)+1, . . . , 2+u_(d+1)+w_(d+1)+z_(d+1).

(S206: Key Distribution Step)

For example, with the communication device, the key distribution part 150 distributes the signing key sk_(Γ), constituted by, as elements, the attribute set Γ, the key element k*₀, the key element k*_(t) (t in (t, x^(→) _(t)) included in the attribute set Γ), the key element k*_(d+1,1), and the key element k*_(d+1,2), to the signature device 200 in secrecy via the network. As a matter of course, the signing key sk_(Γ) may be distributed to the signature device 200 by another method.

In brief, from (S201) through (S205), the key generation device 100 generates the signing key sk_(Γ) by executing the KeyGen algorithm indicated in Formula 140. In (S206), the key generation device 100 distributes the generated signing key sk_(Γ) to the signature device 200.

$\begin{matrix} {{KeyGen}\left( {{pk},{sk},{\Gamma:={\quad{{\left\{ {\left( {t,{{\overset{\rightarrow}{x}}_{t}:={\left( {x_{t,1},\cdots\mspace{14mu},x_{t,n_{t}}} \right) \in {\mathbb{F}}_{q}^{n_{t}}}}} \right)\left. {1 \leq t \leq d} \right\}} \right)\mspace{85mu}{\delta\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{x}}},{{\overset{\mspace{56mu}}{\mspace{79mu}\overset{\rightarrow}{\varphi}}}_{0}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{w_{0}}},{{{{\overset{\rightarrow}{\varphi}}_{t}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{w_{t}}}\mspace{79mu}{for}\mspace{79mu} t} = 1},\ldots\mspace{14mu},d,\mspace{79mu}{\overset{\rightarrow}{\varphi}}_{{d + 1},1},{{\overset{\rightarrow}{\varphi}}_{{d + 1},2}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{w_{d + 1}}},\mspace{79mu}{k_{0}^{*}:={\left( {\delta,\overset{\overset{u_{0}}{︷}}{0^{u_{0}}},\overset{\overset{w_{0}}{︷}}{\varphi_{0,1},\ldots\mspace{14mu},\varphi_{0,w_{0}}},\overset{\overset{z_{0}}{︷}}{0^{z_{0}}}} \right){\mathbb{B}}_{0}^{*}}},{k_{t}^{*}:={{\left( {\overset{\overset{n_{t}}{︷}}{\delta\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)},\overset{\overset{u_{t}}{︷}}{0^{u_{t}}},{\overset{\overset{w_{t}}{︷}}{\varphi_{t,1},\ldots\mspace{14mu},\varphi_{t,w_{t},}}\overset{\overset{z_{t}}{︷}}{0^{z_{t}}}}} \right){\mathbb{B}}_{t}^{*}\mspace{79mu}{for}\mspace{79mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}},{k_{{d + 1},1}^{*}:={\left( {\overset{\overset{2}{︷}}{\delta\left( {1,0} \right)},\overset{\overset{u_{d + 1}}{︷}}{0^{u_{d + 1}}},\overset{\overset{w_{d + 1}}{︷}}{\varphi_{{d + 1},1,1},\ldots\;,\varphi_{{d + 1},1,w_{d + 1}}},\overset{\overset{z_{d + 1}}{︷}}{0^{z_{d + 1}}}} \right){\mathbb{B}}_{d + 1}^{*}}},{k_{{d + 1},2}^{*}:={\left( {\overset{\overset{2}{︷}}{\delta\left( {0,1} \right)},\overset{\overset{u_{d + 1}}{︷}}{0^{u_{d + 1}}},\overset{\overset{w_{d + 1}}{︷}}{\varphi_{{d + 1},2,1},\ldots\;,\varphi_{{d + 1},2,w_{d + 1}}},\overset{\overset{z_{d + 1}}{︷}}{0^{z_{d + 1}}}} \right){\mathbb{B}}_{d + 1}^{*}}},{T:={\left\{ {0,\left( {{d + 1},1} \right),\left( {{d + 1},2} \right)} \right\} U\left\{ {{t❘{1 \leq t \leq d}},{\left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \in \Gamma}} \right\}}},\mspace{79mu}{{{return}\mspace{14mu} s\; k_{\Gamma}}:={\left( {\Gamma,\left\{ k_{t}^{*} \right\}_{t \in T}} \right).}}}}}} \right.} & \left\lbrack {{Formula}\mspace{14mu} 140} \right\rbrack \end{matrix}$

The function and operation of the signature device 200 will be described.

As shown in FIG. 7, the signature device 200 is provided with a signing key acquisition part 210, an information input part 220 (second information input part), a span program calculation part 230, a complementary coefficient calculation part 240, a signature data generation part 250, and a signature data transmission part 260 (signature data output part).

The information input part 220 is provided with a predicate information input part 221 and a message input part 222. The signature data generation part 250 is provided with a random number generation part 251, a signature element 0 generation part 252, a signature element i generation part 253, and a signature element L+1 generation part 254.

The process of the Sig algorithm executed by the signature device 200 will be described with reference to FIG. 11.

(S301: Signing key Acquisition Step)

For example, with the communication device, the signing key acquisition part 210 acquires the signing key sk_(Γ) generated by the key generation device 100, via the network. The signing key acquisition part 210 also acquires the public parameter pk generated by the key generation device 100.

(S302: Information Input Step)

With the input device, the predicate information input part 221 takes as input the access structure S:=(M, ρ). The matrix M is a matrix of L rows×r columns. L and r are each an integer of 1 or more.

With the input device, the message input part 220 takes as input the message m to be signed.

The matrix M of the access structure S is to be set depending on the condition of the system to be realized.

(S303: Span Program Calculation Step)

With the processing device, the span program calculation part 230 checks whether or not the access structure S inputted in (S302) accepts the attribute set Γ included in the signing key sk_(Γ) acquired in (S301).

The method of checking whether or not the access structure accepts the attribute set is the same as that described in “3. Concept for Implementing Attribute-Based Signature Scheme”.

The span program calculation part 230 advances the process to (S304) if the access structure S accepts the attribute set Γ (accept in S303). If the access structure S rejects the attribute set Γ (reject in S303), the span program calculation part 230 ends the process.

(S304: Complementary Coefficient Calculation Step)

With the processing device, the complementary coefficient calculation part 430 calculates I and a constant (complementary coefficient) α_(i) for each integer i included in I, which I and α_(i) satisfying Formula 141.

$\begin{matrix} {\left. {{\Sigma_{i \in I}\alpha_{i}M_{i}\mspace{14mu}\text{:=}\mspace{14mu}\overset{\rightharpoonup}{1}}\;{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots,L} \right\}} \middle| {{{\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightharpoonup}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightharpoonup}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightharpoonup}{v}}_{i}} \cdot {\overset{\rightharpoonup}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho(i)} =}\quad \right.}{\left( {t,{\overset{\rightharpoonup}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightharpoonup}{x}}_{t}} \right)}} \in {{{\Gamma\bigwedge{\overset{\rightharpoonup}{v}}_{i}} \cdot {\overset{\rightharpoonup}{x}}_{t}} \neq 0}} \right\rbrack}} \right\},} & \left\lbrack {{Formula}\mspace{14mu} 141} \right\rbrack \end{matrix}$

Note that M_(i) signifies the i-th row of the matrix M.

(S305: Random Number Generation Step)

With the processing device, the random number generation part 251 generates a random number ξ and a random number β_(i) (i=1, . . . , L), as indicated in Formula 142.

$\begin{matrix} {\;{{\xi\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{x}},{\left( \beta_{i} \right)\overset{U}{\longleftarrow}\left\{ {{\left( {\beta_{1},\ldots\mspace{14mu},\beta_{L}} \right)❘{\sum\limits_{i = 1}^{L}\;{\beta_{i}M_{i}}}} = \overset{\rightarrow}{0}} \right\}}}} & \left\lbrack {{Formula}\mspace{14mu} 142} \right\rbrack \end{matrix}$

(S306: Signature Element 0 Generation Step)

With the processing device, the signature element 0 generation part 252 generates s*₀ which is an element of the signature data σ, as indicated in Formula 143. s ₀ *:=ξk ₀ *+r ₀*  [Formula 143]

Note that r*₀ is defined by Formula 144 (see Formulas 110 through 112 and their explanations).

$\begin{matrix} {{r_{0}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{0,{1 + u_{0} + 1}}^{*},\ldots\;,b_{0,{1 + u_{0} + w_{0}}}^{*}} \right\rangle} & \left\lbrack {{Formula}\mspace{14mu} 144} \right\rbrack \end{matrix}$

(S307: Signature Element i Generation Step)

With the processing device, the signature element i generation part 253 generates a signature element s*_(i) which is an element of the signature data σ, for each integer i=1, . . . , L, as indicated in Formula 145. s _(i)*:=γ_(i) ·ξk _(t)*+Σ_(t=1) ^(n) ^(t) y _(i,l) ·b _(t,l) *+r _(i)*for 1≦i≦L  [Formula 145]

Note that r*_(i) is defined by Formula 146 (see Formulas 110 through 112 and their explanations).

$\begin{matrix} {{r_{i}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{t,{n_{t} + u_{t} + 1}}^{*},\ldots\mspace{11mu},b_{t,{n_{t} + u_{t} + w_{t}}}^{*}} \right\rangle} & \left\lbrack {{Formula}\mspace{14mu} 146} \right\rbrack \end{matrix}$

Also, γ_(i) and y^(→) _(i):=′y_(1,i′) (i′=1, . . . , n_(t)) are defined by Formula 147.

$\begin{matrix} {{{{if}\mspace{11mu} i\;\varepsilon\mspace{11mu}{I\;\bigwedge{\rho(i)}}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},} & \left\lbrack {{Formula}\mspace{20mu} 147} \right\rbrack \\ {{\gamma_{i}:=\alpha_{i}},{{\overset{\rightarrow}{y}}_{i}\overset{U}{\leftarrow}\left\{ {{{\overset{\rightarrow}{y}}_{i}❘{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{\nu}}_{i}}} = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},} & \; \\ {{{{if}\mspace{11mu} i\;\varepsilon\mspace{11mu}{I\;\bigwedge{\rho(i)}}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},} & \; \\ {{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}}},{{\overset{\rightarrow}{y}}_{i}\overset{U}{\leftarrow}\left\{ {{{\overset{\rightarrow}{y}}_{i}❘{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{\nu}}_{i}}} = \beta_{i}} \right\}},} & \mspace{11mu} \\ {{{{{if}\mspace{11mu} i} \notin \mspace{11mu}{I\;\bigwedge{\rho(i)}}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},} & \; \\ {{\gamma_{i}:=0},{{\overset{\rightarrow}{y}}_{i}\overset{U}{\leftarrow}\left\{ {{{\overset{\rightarrow}{y}}_{i}❘{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{\nu}}_{i}}} = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},} & \; \\ {{{{{if}\mspace{11mu} i} \notin {I\;\bigwedge{\rho(i)}}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},} & \; \\ {{\gamma_{i}:=0},{{\overset{\rightarrow}{y}}_{i}\overset{U}{\leftarrow}\left\{ {{{\overset{\rightarrow}{y}}_{i}❘{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{\nu}}_{i}}} = \beta_{i}} \right\}}} & \; \end{matrix}$

(S308: Signature Element L+1 Generation Step)

With the processing device, the signature element L+1 generation part 254 generates a signature element s*_(L+1), which is an element of the signature data σ, as indicated in Formula 148. s _(L+1)*:=ξ(k _(d+1,1) *+H _(hk) ^(λ,D)(m∥

)·k _(d+1,2)*)+r _(L+1)*  [Formula 148]

Note that r*_(L+1) is defined by Formula 149 (see Formulas 110 through 112 and their explanations).

$\begin{matrix} {{r_{L + 1}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{{d + 1},{2 + u_{d + 1} + 1}}^{*},\;\ldots\;,b_{{d + 1},{2 + u_{d + 1} + w_{d + 1}}}^{*}} \right\rangle} & \left\lbrack {{Formula}\mspace{14mu} 149} \right\rbrack \end{matrix}$

(S309: Data Transmission Step)

For example, with the communication device, the signature data transmission part 260 transmits the signature data σ, including the signature element s*₀, the signature element s*_(i) (i=1, . . . , L), the signature element s*_(L+1), the message m, and the access structure S:=(M, ρ), to the verification device 300 via the network. As a matter of course, the signature data σ may be transmitted to the verification device 300 by another method.

In brief, from (S301) through (S308), the signature device 200 generates the signature data σ by executing the Sig algorithm indicated in Formula 150. In (S309), the signature device 200 distributes the generated signature data σ to the verification device 300.

     Sig(pk, sk_(Γ), m, 𝕊 := (M, ρ))               [Formula  150] $\mspace{79mu}{{{{If}\mspace{14mu}{\mathbb{S}}}:={{\left( {M,\rho} \right)\mspace{20mu}{accepts}\mspace{14mu}\Gamma}:=\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}}},\mspace{79mu}{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}}}$ ${\underset{\mspace{101mu}{i \in I}}{\overset{\;}{\mspace{76mu}\sum}}\;{\alpha_{i}M_{i}}}:=\overset{\rightarrow}{1}$      and $I \subseteq \left\{ {{{i\; \in \left\{ {1,\ldots\mspace{14mu},L} \right\}}❘{\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left. \quad\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack \right\}}},\mspace{79mu}{\xi\overset{U}{\leftarrow}{\mathbb{F}}_{q}^{x}},\mspace{76mu}{\left( \beta_{i} \right)\overset{U}{\longleftarrow}\left\{ {{\left( {\beta_{1},\;\ldots\mspace{14mu},\beta_{L}} \right)❘{\sum\limits_{i = 1}^{L}\;{\beta_{i}M_{i}}}} = \overset{\rightarrow}{0}} \right\}},\mspace{79mu}{s_{0}^{*}:={{\xi\; k_{0}^{*}} + r_{0}^{*}}},\mspace{79mu}{{where}\mspace{79mu}{r_{0}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{0,{1 + u_{0} + 1}}^{*},\ldots\mspace{14mu},b_{0,{1 + u_{0} + w_{0}}}^{*}} \right\rangle},\mspace{79mu}{s_{i}^{*}:={{{\gamma_{i} \cdot \xi}\; k_{t}^{*}} + {\sum\limits_{t = 1}^{n_{t}}\;{y_{i,t} \cdot b_{t,t}^{*}}} + r_{i}^{*}}},\mspace{79mu}{{{for}\mspace{76mu} 1} \leq i \leq L},\mspace{76mu}{{where}\mspace{76mu}{r_{i}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{t,{n_{t} + u_{t} + 1}}^{*},\ldots\mspace{14mu},b_{t,{n_{t} + u_{t} + w_{t}}}^{*}} \right\rangle},\mspace{76mu}{{and}\mspace{76mu}\gamma_{i}},{{\overset{\rightarrow}{y}}_{i}:={{\left( {y_{i,1},\ldots\mspace{14mu},y_{i,n_{t}}} \right)\mspace{14mu}{are}\mspace{14mu}{defined}\mspace{14mu}{as}\begin{matrix} {{{{{if}\mspace{14mu} i} \in {I\bigwedge{\rho(i)}}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},} & {{\gamma_{i}:=\alpha_{i}},{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {{{\overset{\rightarrow}{y}}_{i}❘{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}}} = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},} \\ {{{{{if}\mspace{14mu} i} \in {I\bigwedge{\rho(i)}}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},} & {{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}}},} \\ \; & {{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {{{\overset{\rightarrow}{y}}_{i}❘{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}}} = \beta_{i}} \right\}},} \\ {{{{{if}\mspace{14mu} i} \notin {I\bigwedge{\rho(i)}}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},} & {\;{{\gamma_{i}:=0},}} \\ \; & {{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {{{\overset{\rightarrow}{y}}_{i}❘{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}}} = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},} \\ {{{{{if}\mspace{14mu} i} \notin {I\bigwedge{\rho(i)}}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},} & {\;{{\gamma_{i}:=0},}} \\ \; & {{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {{{\overset{\rightarrow}{y}}_{i}❘{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}}} = \beta_{i}} \right\}},} \end{matrix}\mspace{79mu} s_{L + 1}^{*}}:={\xi\left( {{k_{{d + 1},1}^{*} + {H_{hk}^{\lambda,D}\left( {m{\left. {\mathbb{S}} \right) \cdot k_{{d + 1},2}^{*}}} \right)} + r_{L + 1}^{*}},\mspace{79mu}{{where}\mspace{79mu}{r_{L + 1}^{*}\overset{U}{\longleftarrow}{span}}\left\langle b_{{d + 1},{2 + u_{d + 1} + 1},\mspace{11mu}\ldots\mspace{14mu},b_{{d + 1},{2 + u_{d + 1} + w_{d + 1}}}^{*}}^{*} \right\rangle},\mspace{79mu}{{{return}\mspace{14mu}{\overset{\rightarrow}{s}}^{*}}:={\left( {s_{0}^{*},\ldots\mspace{14mu},s_{L + 1}^{*}} \right).}}} \right.}}}} \right.$

The function and operation of the verification device 300 will be described.

As shown in FIG. 8, the verification device 300 is provided with a public parameter acquisition part 310, a data reception part 320, a verification key generation part 330, and a pairing operation part 340.

The verification key generation part 330 is provided with a random number generation part 331, an f vector generation part 332, an s vector generation part 333, a verification element 0 generation part 334, a verification element i generation part 335, and a verification element L+1 generation part 336.

The process of the Ver algorithm executed by the verification device 300 will be described with reference to FIG. 12.

(S401: Public Parameter Acquisition Step)

For example, with the communication device, the public parameter acquisition part 310 acquires the public parameter pk generated by the key generation device 100, via the network.

(S402: Signature Data Reception Step)

For example, with the communication device, the data reception part 320 receives the signature data σ transmitted by the signature device 200, via the network.

(S403: f Vector Generation Step)

With the processing device, the f vector generation part 332 generates a vector f^(→) having r pieces of elements, randomly as indicated in Formula 151.

$\begin{matrix} {\overset{\rightarrow}{f}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 151} \right\rbrack \end{matrix}$

(S404: s Vector Generation Step)

With the processing device, the s vector generation part 333 generates a vector s^(→T), based on the (L rows×r columns) matrix M of the access structure S included in the signature data σ received in (S402) and the vector f^(→) generated in (S403) and having r pieces of elements, as indicated in Formula 152. {right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))T:=M·{right arrow over (f)} ^(T)  [Formula 152]

With the processing device, the s vector generation part 333 generates a value s₀, based on the vector f^(→) generated in (S403), as indicated in Formula 153. Note that 1^(→) is a vector which has a value 1 in all its elements. s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 153]

(S405: Random Number Generation Step)

With the processing device, the random number generation part 331 generates a random number η_(0,i) for each integer i=1, . . . , z₀, a random number η_(L+1,i) for each integer i=1, . . . , z_(d+1), a random number θ_(L+1), and a random number s_(L+1), as indicated in Formula 154.

$\begin{matrix} {{{\overset{\rightarrow}{\eta}}_{0}:={\left( {\eta_{0,1},\ldots\mspace{14mu},\eta_{0,z_{0}}} \right)\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{z_{0}}}},{\eta_{L + 1}:={\left( {\eta_{{L + 1},1},\ldots\mspace{14mu},\eta_{{L + 1},z_{d + 1}}} \right)\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{z_{d + 1}}}},\mspace{79mu}\theta_{L + 1},{s_{L + 1}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}} & \left\lbrack {{Formula}\mspace{14mu} 154} \right\rbrack \end{matrix}$

(S406: Verification Element 0 Generation Step)

With the processing device, the verification element 0 generation part 334 generates a verification element c₀, which is an element of the verification key, as indicated in Formula 155.

$\begin{matrix} {c_{0}:={\left( {{{- s_{0}} - s_{L + 1}},\overset{\overset{u_{0}}{︷}}{0^{u_{0}}},\overset{\overset{w_{0}}{︷}}{0^{w_{0}}},\overset{\overset{z_{0}}{︷}}{\eta_{0,1},\ldots\mspace{14mu},\eta_{0,z_{0}}}} \right){\mathbb{B}}_{0}}} & \left\lbrack {{Formula}\mspace{14mu} 155} \right\rbrack \end{matrix}$

As described above, for the bases B and B* indicated in Formula 113, Formula 114 is established. Hence, Formula 155 means that the coefficient for the basis vector of the basis B₀ is set as described below. For the purpose of simple representation, a basis vector b_(0,i) is specified only by its i portion. For example, a basis vector 1 signifies a basis vector b_(0,1). Basis vectors 1, . . . , 3 signify basis vectors b_(0,1), . . . , b_(0,3), respectively.

−s₀−s_(L+1) is set as the coefficient for the basis vector 1 of the basis B₀. 0 is set as the coefficient for basis vectors 1+1, . . . , 1+u₀+w₀. Random numbers η_(0,1), . . . , η_(0,z0) (where z0 represents z₀) are each set as the coefficient for basis vectors 1+u₀+w₀+1, . . . , 1+u₀+w₀+z₀ (where z0 represents z₀).

(S407: Verification Element i Generation Step)

With the processing device, the verification element i generation part 335 generates a verification element which is an element of the verification key, for each integer i=1, . . . , L, as indicated in Formula 156.

if ⁢ ⁢ ρ ⁡ ( i ) = ( t , v ⇀ i ⁢ ⁢ := ⁢ ⁢ ( v i , 1 , … , v i , n t ) ∈ 𝔽 q n t ) , ⁢ θ i ⁢ ← ⋃ ⁢ 𝔽 q , η ⇀ i ⁢ ⁢ := ⁢ ⁢ ( η i , 1 , … , η i , z t ) ⁢ ← ⋃ ⁢ 𝔽 q z t , ⁢ c i ⁢ ⁢ := ⁢ ⁢ ( s i + θ i ⁢ v i , 1 , θ i ⁢ v i , 2 , … , θ i ⁢ v i , n t ︷ n t , 0 u t ︷ u t , 0 w t ︷ w t , η i , 1 , … , η i , z t ︷ z t ) t , ⁢ if ⁢ ⁢ ρ ⁡ ( i ) = ⁢ ( t , v ⇀ i ⁢ ⁢ := ⁢ ⁢ ( v i , 1 , … , v i , n t ) ∈ 𝔽 q n t ) , ⁢ η ⇀ i ⁢ ⁢ := ⁢ ⁢ ( η i , 1 , … , η i , z t ) ⁢ ← ⋃ ⁢ 𝔽 q z t , ⁢ c i ⁢ ⁢ := ⁢ ⁢ ( s i ⁡ ( v i , 1 , … , v i , n t ) ︷ n t , 0 u t ︷ u t , 0 w t ︷ w t , η i , 1 , … , η i , z t ︷ z t ) ⁢ 𝔹 t [ Formula ⁢ ⁢ 156 ]

In brief, as Formula 155 does, Formula 156 means that the coefficient for the basis vector of the basis B_(t) is set as described below. For the purpose of simple representation, a basis vector b_(t,i) is specified only by its i portion. For example, a basis vector 1 signifies a basis vector b_(t,1). Basis vectors 1, . . . , 3 signify basis vectors b_(t,1), . . . , b_(t,3), respectively.

When ρ(i) is a positive tuple (t, v^(→) _(i)), s_(i)+θ_(i)v_(i,1) is set as the coefficient for the basis vector 1. θ₁v_(t,2), . . . , θ_(i)v_(i,nt) (where nt represents n_(t)) are each set as the coefficient for basis vectors 2, . . . , n_(t). 0 is set as the coefficient for basis vectors n_(t)+1, . . . , n_(t)+u_(t)+w_(t). η_(i,1), . . . , η_(i,zt) (where zt represents z_(t)) are each set as the coefficient for basis vectors n_(t)+u_(t)+w_(t)+1, . . . , n_(t)+u_(t)+w_(t)+z_(t).

When ρ(i) is a negative tuple

(t, v^(→) _(i)), s_(i)v_(i,1), . . . , s_(i)v_(i,nt) (where nt represents n_(t)) are each set as the coefficient for the basis vectors 1, . . . , n_(t). 0 is set as the coefficient for basis vectors n_(t)+1, . . . , n_(t)+u_(t)+w_(t). η_(i,1), . . . , η_(i,zt) (where zt represents z_(t)) are each set as the coefficient for basis vectors n_(t)+u_(t)+w_(t)+1, . . . , n_(t)+u_(t)+w_(t)+z_(t).

Note that θ_(i) and η_(i,i′) (i′=1, . . . , z_(t)) are uniform random numbers generated by the random number generation part 233.

(S408: Signature Element L+1 Generation Step)

With the processing device, the verification element L+1 generation part 336 generates a verification element c_(L+1), which is an element of the verification key, as indicated in Formula 157.

c L + 1 ⁢ ⁢ := ⁢ ⁢ ( s L + 1 - θ L + 1 ⁢ H hk λ , D ⁡ ( m || 𝕊 ) , θ L + 1 ︷ 2 , 0 u d + 1 ︷ u d + 1 , 0 w d + 1 ︷ w d + 1 , η L + 1 , 1 , … , η L + 1 , z d + 1 ︷ z d + 1 ) ⁢ 𝔹 d + 1 [ Formula ⁢ ⁢ 157 ]

In brief, as Formula 155 does, Formula 157 means that the coefficient for the basis vector of the basis B_(d+1) is set as described below. For the purpose of simple representation, a basis vector b_(d+1,i) is specified only by its i portion. For example, a basis vector 1 signifies a basis vector b_(d+1,i). Basis vectors 1, . . . , 3 signify basis vectors b_(d+1,1), . . . , b_(d+1,3), respectively.

s_(L+1)−θ_(L+1)·H_(hk) ^(λ,D) (m∥S) is set as the coefficient for the basis vector 1. δ_(L+1) is set as the coefficient for the basis vector 2. 0 is set as the coefficient for basis vectors 2+1, . . . , 2+u_(d+1)+w_(d+1). Random numbers η_(L+1,zd+1) (where zd+1 represents z_(d+1)) are each set as the coefficient for basis vectors 2+u_(d+1)+w_(d+1)+1, . . . , 2+u_(d+1)+w_(d+1)+z_(d+1).

(S409: First Pairing Operation Step)

With the processing device, the pairing operation part 340 conducts a pairing operation e(b_(0,1), s*₀).

If the calculation result of the pairing operation e(b_(0,1), s*₀) is value 1, the pairing operation part 340 outputs value 0 indicating failure of the signature verification, and ends the process. If the calculation result of the pairing operation e(b_(0,1), s*₀) is not value 1, the pairing operation part 340 advances the process to S410.

(S410: Second Pairing Operation Step)

With the processing device, the pairing operation part 340 conducts a pairing operation indicated in Formula 158. Π_(i=0) ^(L+1) e(c _(i) ,s _(i)*)  [Formula 158]

If the calculation result of the pairing operation indicated in Formula 158 is value 1, the pairing operation part 340 outputs value 1 indicating success of the signature verification; and otherwise value 0 indicating failure of the signature verification.

If the signature data σ is authentic, as the consequence of calculating Formula 158, value 1 is obtained, as indicated in Formula 159.

$\begin{matrix} \begin{matrix} {{\Pi_{i = 0}^{L + 1}{e\left( {c_{i},s_{i}^{*}} \right)}} = {{{e\left( {c_{0},k_{0}^{*}} \right)}^{\xi} \cdot \Pi_{i \in I}}{{e\left( {c_{i},k_{t}^{*}} \right)}^{\gamma_{i}\xi} \cdot}}} \\ {= {\Pi_{i = 1}^{L}\Pi_{l = 1}^{n_{t}}{{e\left( {c_{i},b_{t,l}^{*}} \right)}^{y_{i,t}} \cdot {e\left( {c_{L + 1},s_{L + 1}^{*}} \right)}}}} \\ {= {{g_{T}^{{\xi\delta}{({{- s_{0}} - s_{L + 1}})}} \cdot \Pi_{i \in I}}g_{T}^{{\xi\delta\alpha}_{i}s_{i}}\Pi_{i = 1}^{L}{g_{T}^{\beta_{i}s_{i}} \cdot g_{T}^{{\xi\delta}\; s_{L + 1}}}}} \\ {= {{g_{T}^{{\xi\delta}{({{- s_{0}} - s_{L + 1}})}} \cdot g_{T}^{{\xi\delta}\; s_{0}} \cdot g_{T}^{{\xi\delta}\; s_{L + 1}}} = 1.}} \end{matrix} & \left\lbrack {{Formula}\mspace{14mu} 159} \right\rbrack \end{matrix}$

In brief, from (S401) through (S410), the verification device 300 verifies the signature data σ by executing the Ver algorithm indicated in Formula 160.

Ver ⁡ ( pk , m , 𝕊 ⁢ ⁢ := ⁢ ⁢ ( M , ρ ) , s ⇀ * ) ⁢ ⁢ ⁢ f ⇀ ⁢ ← ⋃ ⁢ 𝔽 q r , s ⇀ T ⁢ ⁢:= ⁢ ⁢ ( s 1 , … , s L ) T ⁢ ⁢ := ⁢ ⁢ M · f ⇀ T , ⁢ s 0 ⁢ ⁢ := ⁢ ⁢ 1 ⇀ · f ⇀ T , ⁢ η ⇀ 0 ⁢ ← ⋃ ⁢ 𝔽 q z 0 , η L + 1 ⁢ ← ⋃ ⁢ 𝔽 q z d + 1 , θ L + 1 , s L + 1 ⁢ ← ⋃ ⁢ 𝔽 q , ⁢ c 0 ⁢ ⁢ := ⁢ ⁢ ( - s 0 - s L + 1 , 0 u 0 ︷ u 0 , 0 w 0 ︷ w 0 , ⁢ η 0 , 1 , … , η 0 , z 0 ︷ z 0 ) ⁢ 𝔹 0 , ⁢ for ⁢ ⁢ 1 ≤ i ≤ L , ⁢ if ⁢ ⁢ ρ ⁡ ( i ) = ( t , v ⇀ i ⁢ ⁢ := ⁢ ⁢ ( v i , 1 , … , v i , n t ) ∈ 𝔽 q n t ) , ⁢ if ⁢ ⁢ s i * ∉ 𝕍 t ⁢ ⁢ return ⁢ ⁢ 0 , ⁢ else ⁢ ⁢ θ i ⁢ ← ⋃ ⁢ 𝔽 q , η ⇀ i ⁢ ← ⋃ ⁢ 𝔽 q z t , ⁢ c i ⁢ ⁢:= ⁢ ⁢ ( s i + θ i ⁢ v i , 1 , θ i ⁢ v i , 2 , … , θ i ⁢ v i , n t ︷ n t , ⁢ 0 u t ︷ u t , 0 w t ︷ w t , ⁢ η i , 1 , … , η i , z t ︷ z t ) ⁢ 𝔹 t , ⁢ if ⁢ ⁢ ρ ⁡ ( i ) = ⁢ ( t , v ⇀ i ⁢ ⁢ := ⁢ ⁢ ( v i , 1 , … , v i , n t ) ∈ 𝔽 q n t ) , ⁢ if ⁢ ⁢ s i * ∉ 𝕍 t ⁢ ⁢ return ⁢ ⁢ 0 , ⁢ else ⁢ ⁢ η ⇀ i ⁢ ← ⋃ ⁢ 𝔽 q z t , ⁢ c i ⁢ ⁢ := ⁢ ⁢ ( s i ⁡ ( v i , 1 , … , v i , n t ) ︷ n t , 0 u t ︷ u t , 0 w t ︷ w t , ⁢ η i , 1 , … , η i , z t ︷ z t ) ⁢ 𝔹 t ⁢ ⁢ c L + 1 ⁢ ⁢ := ⁢ ⁢ ⁢ ⁢ ( s L + 1 - θ L + 1 ⁢ H hk λ , D ⁡ ( m || 𝕊 ) , θ L + 1 ︷ 2 , 0 u d + 1 ︷ u d + 1 , 0 w d + 1 ︷ w d + 1 , ⁢ η L + 1 , 1 , … , η L + 1 , z d + 1 ︷ z d + 1 ) ⁢ 𝔹 d + 1 ⁢ ⁢ return ⁢ ⁢ 0 ⁢ ⁢ if ⁢ ⁢ e ⁡ ( b 0 , 1 , s 0 * ) = 1 , ⁢ return ⁢ ⁢ 1 ⁢ ⁢ if ⁢ ⁢ Π i = 0 L + 1 ⁢ e ⁡ ( c i , s i * ) = 1 , ⁢ return ⁢ ⁢ 0 ⁢ ⁢ otherwise . [ Formula ⁢ ⁢ 160 ]

As described above, the signature processing system 10 according to Embodiment 1 implements the attribute-based signature scheme using the access structure S constructed using the span program, inner-product predicate, and secret distribution. In particular, as the signature processing system 10 according to Embodiment 1 uses a non-monotone span program, it implements an attribute-based signature scheme with a non-monotone predicate.

The attribute-based signature scheme implemented by the signature processing system 10 according to Embodiment 1 is highly secure and satisfies privacy requirements. Being highly secure signifies that the signature is not likely to be forged by others.

The pairing operation e(b_(0,1), s*₀) in (S409) is to check that the signature data σ is not signature data generated without using the basis vector b*_(0,1) which is secret (which is the master key sk).

The pairing operation e(b_(0,1), s*₀) is an operation to check whether the signature element s*₀ includes the basis vector b*_(0,1), namely, whether a value other than 0 is set as the coefficient for the basis vector b*_(0,1). If pairing operation e(b_(0,1), s*₀)=1, then in the signature element s*₀, 0 is set as the coefficient for the basis vector b*_(0,1), signifying that the signature data σ is signature data generated without using the basis vector b*_(0,1). Therefore, in this case, the signature data σ is determined as fake.

In the above description, the dimensions u_(t), w_(t), and z_(t) (t=0, . . . , d+1) are provided to enhance the security. Therefore, if u_(t), w_(t), and z_(t) (t=0, . . . , d+1) are each set to 0, the dimensions u_(t), w_(t), and z_(t) (t=0, . . . , d+1) need not be provided, although the security may be degraded.

In the above description, in (S101), n_(t)+u_(t)+w_(t)+z_(t) is set in N_(t). Alternatively, n_(t)+u_(t)+w_(t)+z_(t) may be replaced by n_(t)+n_(t)+n_(t)+1, and 3n_(t)+1 may be set in N_(t). Note that n₀ is 1 and that n_(t) (t=1, . . . , d+1) is 2.

In this case, the Setup algorithm indicated in Formula 135 is rewritten as indicated in Formula 161. Note that G_(ob) is written as indicated in Formula 162.

Setup ⁡ ( 1 λ , n ⇀ ⁢ ⁢ := ⁢ ⁢ ( d ; 2 , … , 2 ) ) ⁢ ⁢ hk ⁢ ← R ⁢ KH λ , n 0 ⁢ ⁢ := ⁢⁢1 , n d + 1 ⁢ ⁢ := ⁢ ⁢ 2 , ⁢ ( param n ⇀ , { 𝔹 t , 𝔹 t * } t = 0 , ⋯ , d + 1 ) ⁢ ← R ⁢ ob ⁢ ( 1 λ , n ⇀ ) , [ Formula ⁢ ⁢ 161 ] ^ 0 ⁢ ⁢ := ⁢ ⁢ ( b 0 , 1 , b 0 , 4 ) , ⁢ ^ t ⁢ ⁢ := ⁢ ⁢ ( b t , 1 , b t , 2 , b t , 7 ) ⁢ ⁢ for ⁢ ⁢ t = 1 , … , d + 1 , ⁢ ^ t * ⁢ ⁢ := ⁢ ⁢ ( b t , 1 * , b t , 2 * , b t , 5 * , b t , 6 * ) ⁢ ⁢for ⁢ ⁢ t = 1 , … , d + 1 , sk ⁢ ⁢ := ⁢ ⁢ b 0 , 1 * , ⁢ pk ⁢ ⁢ := ⁢ ⁢ ( 1 λ , hk , param n ⇀ . { ^ t } t = 0 , … , d + 1 , ⁢ { ^ t * } t = 1 , … , d + 1 , b 0 , 3 * ) . ⁢ return ⁢ ⁢ sk , pk . ob ⁡ ( 1 λ , n ⇀ ⁢ ⁢ := ⁢ ⁢ ( d ; 2 , … , 2 ) ) ⁢ : ⁢ ⁢ param ⁢ ⁢ := ⁢ ⁢ ( q , 𝔾 , 𝔾 T , g , e ) ⁢ ← R ⁢ 𝒢 bpg ⁡ ( 1 λ ) , ⁢ ψ ⁢ ← ⋃ ⁢ 𝔽 q x , ⁢ n 0 ⁢ ⁢ := ⁢ ⁢ 1 , n d + 1 ⁢ ⁢ := ⁢ ⁢ 2 , [ Formula ⁢ ⁢ 162 ] N t ⁢ ⁢ := ⁢⁢3 ⁢ n t + 1 ⁢ ⁢ for ⁢ ⁢ t = 0 , … , d + 1 , ⁢ For ⁢ ⁢ t = 0 , … , d + 1 , ⁢ param𝕍 i ⁢ ⁢ := ⁢ ⁢ ( q , 𝕍 t , 𝔾 T , 𝔸 t , e ) ⁢ ⁢ := ⁢ ⁢ ⁢ 𝒢 dpvs ⁢ ( 1 λ , N t , param ) , X t ⁢ ⁢ := ⁢ ⁢ ( χ t , i , j ) i , j ⁢ ← ⋃ ⁢ GL ( N t , 𝔽 q ) ⁢ ( v t , i , j ) i , j ⁢ ⁢ := ⁢ ⁢ ψ · ( X t T ) - 1 , ⁢ b t , i ⁢ ⁢ := ⁢ ⁢ ( χ t , i , 1 , ⁢ … , χ t , i , N t ) t = Σ j = 1 N t ⁢ χ t , i , j ⁢ a t , j , ⁢ 𝔹 t ⁢ ⁢ := ⁢ ⁢ ( b t , 1 , … , b t , N t ) , b t , i * ⁢ ⁢ := ⁢ ⁢ ( v t , i , 1 , ⁢ … , v t , i , N t ) ⁢ 𝔸 t = Σ j = 1 N t ⁢ v t , i , j ⁢ a t , j , ⁢ 𝔹 t * ⁢ ⁢ := ⁢ ⁢ ( b t , 1 * , … , b t , N t * ) , ⁢ g T ⁢ ⁢ := ⁢ ⁢ e ⁡ ( g , g ) ψ ⁢ ⁢ param n ⇀ ⁢⁢:= ⁢ ⁢ ( { param𝕍 t } t = 0 , … , d + 1 , ⁢ g T ) ⁢ ⁢ return ⁢ ⁢ ( param n ⇀ , { 𝔹 t , 𝔹 t * } t = 0 , … , d + 1 ) .

The KeyGen algorithm indicated in Formula 140 is rewritten as indicated in Formula 163.

KeyGen ⁡ ( pk , sk , Γ ⁢ ⁢ := ⁢ ⁢ { ( t , x t ) | 1 ≤ t ≤ d } ) ⁢ ⁢ δ ⁢ ← ⋃ ⁢ 𝔽 q x , ⁢ φ 0 , φ t , l , φ d + 1 , 1 , t , φ d + 1 , 2 , t , ← ⋃ ⁢ 𝔽 q ⁢ ⁢ for ⁢ ⁢t = 1 , … , d ; t = 1 , 2 ⁢ ⁢ k 0 * ⁢ ⁢ := ⁢ ⁢ ( δ , 0 , φ 0 , 0 ) 0 * , ⁢ k t * ⁢ ⁢ := ⁢ ⁢ ( δ ⁢ ( 1 , x t ) , ︷ 2 ⁢ 0 , 0 , ︷ 2 ⁢ φ t , 1 , φ t , 2 , ︷ 2 ⁢ 0 ︷ 1 ) t * ⁢ ⁢ for ⁢ ⁢ ( t , x t ) ∈ Γ , ⁢ k d + 1 , 1 * ⁢ ⁢ := ⁢ ⁢ ( δ ⁢ ( 1 , 0 ) , ︷ 2 ⁢ 0 , 0 , ︷ 2 ⁢ φ d + 1 , 1 , 1 , φ d + 1 , 1 , 2 , ︷ 2 ⁢ 0 ︷ 1 ) d + 1 * , ⁢ k d + 1 , 2 * ⁢ ⁢ := ⁢ ⁢ ( δ ⁢ ( 0 , 1 ) , ︷ 2 ⁢ 0 , 0 , ︷ 2 ⁢ φ d + 1 , 2 , 1 , φ d + 1 , 2 , 2 , ︷ 2 ⁢ 0 ︷ 1 ) d + 1 * , ⁢ T ⁢ ⁢ := ⁢ ⁢{ 0 , ( d + 1 , 1 ) , ( d + 1 , 2 ) } ⋃ { t | 1 ≤ t ≤ d , ( t , x t ) ∈ Γ } , ⁢ return ⁢ ⁢ sk Γ ⁢ ⁢ := ⁢ ⁢ ( Γ , { k t * } t ∈ T ) . [ Formula ⁢ ⁢ 163 ]

The Sig algorithm indicated in Formula 150 is rewritten as indicated in Formula 164.

$\begin{matrix} {{{Sig}\left( {{pk},{sk}_{\Gamma},m,{{\mathbb{S}}\mspace{14mu}\text{:=}\mspace{14mu}\left( {M\;,\rho} \right)}} \right)}{{{If}\mspace{11mu}{\mathbb{S}}\mspace{14mu}\text{:=}\mspace{14mu}\left( {M,\rho} \right){accepts}\mspace{14mu}\Gamma\mspace{14mu}\text{:=}\mspace{14mu}\left\{ \left( {t,x_{t}} \right) \right\}},{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}}}{\Sigma_{i \in I}\alpha_{i}M_{i}\mspace{14mu}\text{:=}\mspace{14mu}\overset{\_}{1}}{{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots,L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,v_{i}} \right)\bigwedge\left( {t,x_{t}} \right)} \in {\Gamma\bigwedge v_{i}}} = x_{t}}} \right\rbrack\bigvee\left\lbrack {{\rho(i)} = {{\left( {t,v_{i}} \right)\bigwedge\left( {t,x_{t}} \right)} \in {{\Gamma\bigwedge v_{i}} \neq x_{t}}}} \right\rbrack} \right\}},{\xi\overset{\bigcup}{\leftarrow}{\mathbb{F}}_{q}^{x}},{\left( \beta_{i} \right)\overset{\bigcup}{\leftarrow}\left\{ {\left. \left( {\beta_{1},\ldots,\beta_{L}} \right) \middle| {\Sigma_{i = 1}^{L}\beta_{i}M_{i}} \right. = \overset{\rightharpoonup}{0}} \right\}},{{s_{0}^{*}\mspace{14mu}\text{:=}\mspace{14mu}{\xi k}_{0}^{*}} + r_{0}^{*}},{{{where}\mspace{14mu} r_{0}^{*}}\overset{\bigcup}{\leftarrow}{{span} < b_{0,3}^{*} >}},{{s_{i}^{*}\mspace{14mu}\text{:=}\mspace{14mu}{\gamma_{i} \cdot {\xi k}_{t}^{*}}} + {\Sigma_{t = 1}^{2}{y_{i,l} \cdot b_{t,l}^{*}}} + r_{i}^{*}},{{{for}\mspace{14mu} 1} \leq i \leq L},{{{where}\mspace{14mu} r_{i}^{*}}\overset{\bigcup}{\leftarrow}{{span} < b_{t,5}^{*}}},{b_{t,6}^{*} >},{{and}\mspace{14mu}\gamma_{i}},{{\overset{\rightharpoonup}{y}}_{i}\mspace{14mu}\text{:=}\mspace{14mu}\left( {y_{i,1},y_{i,2}} \right)\mspace{14mu}{are}\mspace{14mu}{defined}\mspace{14mu}{as}}}{{{{{if}\mspace{14mu} i} \in {I\bigwedge{\rho(i)}}} = \left( {t,v_{i}} \right)},{\gamma_{i}\mspace{14mu}\text{:=}\mspace{14mu}\alpha_{i}},{{\overset{\rightharpoonup}{y}}_{i}\mspace{14mu}\text{:=}\mspace{14mu}{\beta_{i}\left( {1,v_{i}} \right)}},{{{{if}\mspace{14mu} i} \in {I\bigwedge{\rho(i)}}} = {\left( {t,v_{i}} \right)}},{\gamma_{i}\mspace{14mu}\text{:=}\mspace{14mu}\frac{\alpha_{i}}{v_{i} - x_{t}}},{{\overset{\rightharpoonup}{y}}_{i}\mspace{14mu}\text{:=}\mspace{14mu}\frac{\beta_{i}}{v_{i} - y_{i}}\left( {1,y_{i}} \right)\mspace{14mu}\left( {y_{i}\overset{\bigcup}{\leftarrow}{{\mathbb{F}}_{q}\backslash\left\{ v_{i} \right\}}} \right)},{{{{if}\mspace{14mu} i} \notin {I\bigwedge{\rho(i)}}} = \left( {t,v_{i}} \right)},{\gamma_{i}\mspace{14mu}\text{:=}\mspace{14mu} 0},{{\overset{\rightharpoonup}{y}}_{i}\mspace{14mu}\text{:=}\mspace{14mu}{\beta_{i}\left( {1,v_{i}} \right)}},{{{{if}\mspace{14mu} i} \notin {I\bigwedge{\rho(i)}}} = {\left( {t,v_{i}} \right)}},{\gamma_{i}\mspace{14mu}\text{:=}\mspace{14mu} 0},{{\overset{\rightharpoonup}{y}}_{i}\mspace{14mu}\text{:=}\mspace{14mu}\frac{\beta_{i}}{v_{i} - y_{i}}\left( {1,y_{i}} \right)\mspace{14mu}\left( {y_{i}\overset{\bigcup}{\leftarrow}{{\mathbb{F}}_{q}\backslash\left\{ v_{i} \right\}}} \right)},{{s_{L + 1}^{*}\mspace{14mu}\text{:=}\mspace{14mu}{\xi\left( {k_{{d + 1},1}^{*} + {{H_{hk}^{\lambda,D}\left( m||{\mathbb{S}} \right)} \cdot k_{{d + 1},2}^{*}}} \right)}} + r_{L + 1}^{*}},{{{where}\mspace{14mu} r_{L + 1}^{*}}\overset{\bigcup}{\leftarrow}{{span} < b_{{d + 1},5}^{*}}},{b_{{d + 1},6}^{*} >},{{return}\mspace{14mu}{\overset{\rightharpoonup}{s}}^{*}\mspace{14mu}\text{:=}\mspace{14mu}{\left( {s_{0}^{*},\ldots,s_{L + 1}^{*}} \right).}}}} & \left\lbrack {{Formula}\mspace{14mu} 164} \right\rbrack \end{matrix}$

The Ver algorithm indicated in Formula 159 is rewritten as indicated in Formula 165.

Ver ⁡ ( pk , m , 𝕊 ⁢ ⁢ := ⁢ ⁢ ( M , ρ ) , s ⇀ * ) ⁢ ⁢ f ⇀ ⁢ ← ⋃ ⁢ 𝔽 q r , s ⇀ T ⁢ ⁢ := ⁢ ⁢ ( s 1 , … , s L ) T ⁢ ⁢ := ⁢ ⁢ M · f ⇀ T , ⁢ s 0 ⁢ ⁢ := ⁢ ⁢ 1 ⇀ · f ⇀ T , [ Formula ⁢ ⁢ 165 } η 0 , η L + 1 , θ L + 1 , s L + 1 ⁢ ← ⋃ ⁢ 𝔽 q , ⁢ c 0 ⁢ := ⁢ ⁢ ( - s 0 - s L + 1 , 0 , 0 , η 0 ) 0 , ⁢ for ⁢ ⁢ 1 ≤ i ≤ L , ⁢ if ⁢ ⁢ ρ ⁡ ( i ) = ( t , v i ) , ⁢ return ⁢ ⁢ 0 ⁢ ⁢ if ⁢ ⁢ s i * ∉ 𝕍 t , else ⁢ ⁢ θ i , η i ⁢ ← ⋃ ⁢ 𝔽 q , c i ⁢ ⁢ := ⁢ ⁢ ( s i + θ i ⁢ v i , - θ i , ︷ 2 ⁢ 0 , 0 , ︷ 2 ⁢ 0 , 0 ︷ 2 , η i ︷ 1 ) t , ⁢ if ⁢ ⁢ ρ ⁡ ( i ) = ⁢ ( t , v i ) , ⁢ return ⁢ ⁢ 0 ⁢ ⁢ if ⁢ ⁢ s i ∉ 𝕍 t , else ⁢ ⁢ η i ⁢ ← ⋃ ⁢ 𝔽 q , ⁢ c i ⁢ ⁢ := ⁢ ⁢ ( s i ⁢ ( v i , - 1 ) , ︷ 2 ⁢0 , 0 , ︷ 2 ⁢ 0 , 0 , ︷ 2 ⁢ η i ︷ 1 ) t , c L + 1 ⁢ ⁢ := ⁢ ( s L + 1 - θ L + 1 ⁢ H hk λ , D ⁡ ( m || 𝕊 ) , θ L + 1 , ︷ 2 0 , 0 ︷ 2 , 0 , 0 , ︷ 2 ⁢η L + 1 ︷ 1 ) d + 1 return ⁢ ⁢ 0 ⁢ ⁢ if ⁢ ⁢ e ⁡ ( b 0 , 1 , s 0 * ) = 1 , return ⁢ ⁢ 1 ⁢ ⁢ if ⁢ ⁢ Π i = 0 L + 1 ⁢ e ⁡ ( c i , s i * ) = 1 , return ⁢ ⁢ 0 ⁢ ⁢ otherwise .

The Setup algorithm may be executed only once at the setup of the signature processing system 10, and need not be executed every time a signing key is to be generated. In the above description, the Setup algorithm and the KeyGen. algorithm are executed by the key generation device 100. Alternatively, the Setup algorithm and the KeyGen algorithm may be executed by different devices.

Embodiment 2

This embodiment describes the “decentralized multi-authority attribute-based signature scheme”.

First, the notion “decentralized multi-authority” will be explained.

Second, the “decentralized multi-authority attribute-based signature scheme” according to this embodiment will be explained. Initially, the basic structure of the “decentralized multi-authority attribute-based signature scheme” will be explained. Then, the basic structure of the “signature processing system 10” which implements the “decentralized multi-authority attribute-based signature scheme” will be explained. After that, the “decentralized multi-authority attribute-based signature scheme” and the “signature processing system 10” according to this embodiment will be explained in detail.

<1. The Notion of Decentralized Multi-Authority>

Initially, the “multi-authority” will be explained. Multi-authority signifies the presence of a plurality of authorities who generate the signing key.

In a general signature processing system, the security of the whole system depends on one certain party (authority). For example, in the signature processing system 10 described in Embodiment 1, the security of the whole system depends on the key generation device 100 which generates the master key sk. If the security of the key generation device 100 is breached or the master key sk leaks, the whole signature processing system 10 no longer functions.

With the multi-authority scheme, however, even if the security of some authority is breached or the secret key (master key) of some authority leaks, only part of the signature processing system stops functioning, and the remaining portion of the system can function normally.

FIG. 13 is an explanatory drawing of the multi-authority.

In FIG. 13, a public office manages attributes such as the address, telephone number, and age. The police manage attributes such as the type of the driver's license. A company A manages attributes such as the position in the company A and the belonging department in the company A. A signing key 1 to indicate the attributes managed by the public office is issued by the public office. A signing key 2 to indicate the attributes managed by the police is issued by the police. A signing key 3 to indicate the attributes managed by the company A is issued by the company A.

The signer who signs generates signature data using a signing key formed by putting together the signing keys 1, 2, and 3 issued by the respective authorities such as the public office, the police, and the company A. Namely, when seen from the signer, a signing key formed by putting together the signing keys issued by the respective authorities is the single signing key issued to himself or herself.

For example, in a case where the master key of the company A leaks, although the signature processing system does not function regarding the attributes on the company A, it functions regarding the attributes managed by the other authorities. Namely, if the signature data is verified, although the attributes managed by the company A cannot be trusted, the other attributes can be trusted.

As is seen from the example of FIG. 13, according to the attribute-based signature, it is normal that a plurality of authorities are present, and that each authority manages a certain category (subspace) or definition range in the attributes and issues (a part of) a signing key regarding the attribute of the user in this category.

The notion “decentralized” will be explained. Being decentralized means that any party can serve as an authority and issue (a part of) the signing key without interacting with the other parties, and that each user can acquire (a part of) the signing key without interacting with the other parties.

For example, if a central authority exists, the system is not decentralized. A central authority is an authority superior to the other authorities. If the security of the central authority is breached, the security of every authority will be breached.

<2. Structure of Decentralized Multi-Authority Attribute-Based Signature Scheme>

<2-1. Basic Structure of Decentralized Multi-Authority Attribute-Based Signature Scheme>

A decentralized multi-authority attribute-based signature scheme consists of five algorithms: GSetup, ASetup, AttrGen, Sig, and Ver.

(GSetup)

A GSetup algorithm is a randomized algorithm that takes as input a security parameter λ and outputs a public parameter gparam.

(ASetup)

An ASetup algorithm is a randomized algorithm that takes as input the public parameter gparam and authority identification information t, and outputs an authority secret key ask_(t) and an authority public parameter apk_(t).

(AttrGen)

An AttrGen algorithm is a randomized algorithm that takes as input the public parameter gparam, the authority identification information t, the authority secret key ask_(t), user identification information gid, and an attribute x^(→) _(t):=(x_(i,j)) (i=1, . . . , n_(t))εF_(q), and outputs a signing key usk_(gid(t,xt)).

(Sig)

A Sig algorithm is a randomized algorithm that takes as input the public parameter gparam, the signing key usk_(gid,(t,xt)), a message m, and an access structure S:=(M, ρ), and outputs signature data σ including: a signature s^(→)*; the message m; and the access structure S.

(Ver)

A Ver algorithm is an algorithm that takes as input the signature data σ, the public parameter gparam, and the authority public parameter apk_(t), and outputs Boolean value 1 (accept) or 0 (reject).

<2-2 Signature Processing System 10>

A signature processing system 10 that executes the algorithms of the decentralized multi-authority signature-based signature scheme described above will be described.

FIG. 14 is a configuration diagram of the signature processing system 10 which executes the algorithms of the decentralized multi-authority attribute-based signature scheme.

The signature processing system 10 is provided with a plurality of key generation devices 100, a signature device 200, and a verification device 300.

One (single) key generation device 100 executes the GSetup algorithm by taking as input the security parameter λ, and generates the public parameter gparam. This key generation device 100 publicizes the generated public parameter gparam.

Each key generation device 100 executes the ASetup algorithm by taking as input the public parameter gparam and the authority identification information t assigned to this key generation device 100, and generates the authority secret key ask_(t) and the authority public parameter apk_(t). Each key generation device 100 executes the AttrGen algorithm by taking as input the public parameter gparam, the authority identification information t assigned to this key generation device 100, the authority secret key ask_(t), the user identification information gid, and the attribute x^(→) _(t):=(x_(t,i)) (i=1, . . . , n_(t))εF_(q), and generates the signing key usk_(gid,(t,xt)) and distributes it to the signature device 200 in secrecy.

The signature device 200 executes the Sig algorithm by taking as input the public parameter gparam, the signing key usk_(gid,(t,xt)), the message in, and the access structure S:=(M, ρ), and generates the signature data σ including: the signature s^(→)*; the message m; and the access structure S. The signature device 200 transmits the generated signature data σ to the verification device 300.

The verification device 300 executes the Ver algorithm by taking as input the signature data σ, the public parameter gparam, and the authority public parameter apk_(t), and outputs Boolean value 1 (accept) or 0 (reject).

<2-3. Decentralized Multi-Authority Attribute-Based Signature Scheme and Signature Processing System 10 in Detail>

The decentralized multi-authority attribute-based signature scheme, and the function and operation of the signature processing system 10 which executes the decentralized multi-authority attribute-based signature scheme will be described with reference to FIGS. 15 to 22.

FIG. 15 is a function block diagram showing the function of each key generation device 100. FIG. 16 is a function block diagram showing the function of the signature device 200. FIG. 17 is a function block diagram showing the function of the verification device 300.

FIGS. 18 to 20 are flowcharts showing the operation of the key generation device 100. Note that FIG. 18 is a flowchart showing the process of the GSetup algorithm, that FIG. 19 is a flowchart showing the process of the ASetup algorithm, and that FIG. 20 is a flowchart showing the process of the AttrGen algorithm. FIG. 21 is a flowchart showing the operation of the signature device 200 and the process of the Sig algorithm. FIG. 22 is a flowchart showing the operation of the verification device 300 and the process of the Ver algorithm.

The function and operation of the key generation device 100 will be described.

As shown in FIG. 15, the key generation device 100 is provided with a master key generation part 110, a master key storage part 120, an information input part 130 (first information input part), a signing key generation part 140, and a key distribution part 150 (signing key transmission part).

The master key generation part 110 is provided with a global parameter generation part 111 and an authority secret key generation part 112. The signing key generation part 140 is provided with a random number generation part 141 and a key element generation part 145.

The process of the GSetup algorithm executed by the key generation device 100 will be described first with reference to FIG. 18. As described above, the GSetup algorithm may be executed by one key generation device 100 out of the plurality of key generation devices 100.

(S501: Security Parameter Input Step)

With the input device, the global parameter generation part 111 takes as input a security parameter λ (1^(λ)).

(S502: Bilinear Pairing Group Generation Step)

With the processing device, the global parameter generation part 111 executes algorithm G_(bpg) by taking as input the security parameter λ (1^(λ)) inputted in S501, and randomly generates the values of a parameter param_(G):=(q, G, G_(T), g, e) of the bilinear pairing group.

(S503: Parameter Generation Step)

Hash functions H_(i) and H₂ are determined as hash functions indicated in Formula 166. H ₁:{0,1}*→

, H ₂:{0,1}*→

_(q)  [Formula 166]

With the processing device, the global parameter generation part 111 generates elements G₀, G₁, G₂, G₃, and G₄ of the global parameter gparam indicated in Formula 167. G ₀ :=H ₁(0^(λ))ε

, G ₁ :=H ₁(1^(λ))ε

, G ₂ :=H ₁(1,0^(λ-1))ε

, G ₃ :=H ₁(0,1,0^(λ-2))ε

, G ₄ :=H ₁(1,1,0^(λ-2))ε

  [Formula 167]

The global parameter generation part 111 also sets g_(t):=e(G₀, G₁) and g₄:=e(G₀, G₄).

(S504: Parameter Storing Step)

The master key storage part 120 stores param_(G) generated in (S502), the hash functions H₁ and H₂ set in (S503) by the global parameter generation part 111, the generated elements G₀, G₁, G₃, and G₄, and the set values g, and g₄, as a global parameter gparam in the storage device.

In brief, from (S501) through (S503), the key generation device 100 generates the global parameter gparam by executing the GSetup algorithm indicated in Formula 168. Then, in (S504), the key generation device 100 stores the generated public global parameter gparam, in the storage device.

Note that the global parameter gparam is publicized via, e.g., a network, so that other key generation devices 100, the signature device 200, and the verification device 300 can acquire it.

GSetup ⁡ ( 1 λ ) ⁢ : ⁢ ⁢ param ⁢ ⁢ := ⁢ ⁢ ⁢ ( q , 𝔾 , 𝔾 T , g , e ) ⁢ ← R ⁢ 𝒢 bpg ⁡ ( 1 λ ) , ⁢ H 1 ⁢ : ⁢ { 0 , 1 } * → 𝔾 ; H 2 ⁢ : ⁢ { 0 , 1 } * → 𝔽 q ; ⁢ ⁢ G 0 ⁢ ⁢ := ⁢ ⁢ H 1 ⁡ ( 0 λ ) ∈ 𝔾 , G 1 ⁢ ⁢ := ⁢ ⁢ H 1 ⁡ ( 1 λ ) ∈ 𝔾 , ⁢ G 2 ⁢ ⁢ := ⁢ ⁢ H 1 ⁡ ( 1 , 0 λ - 1 ) ∈ 𝔾 , ⁢ G 3 ⁢ ⁢ := ⁢ ⁢ H 1 ⁡ ( 0 , 1 , 0 λ - 2 ) ∈ 𝔾 , ⁢ G 4 ⁢ ⁢ := ⁢⁢H 1 ⁡ ( 1 , 1 , 0 λ - 2 ) ∈ 𝔾 , ⁢ g T ⁢ ⁢ := ⁢ ⁢ e ⁡ ( G 0 , G 1 ) , g 4 ⁢ ⁢ := ⁢ ⁢ e ⁡ ( G 0 , G 4 ) , ⁢ return ⁢ ⁢ gparam ⁢ ⁢ := ⁢ ⁢ ⁢ ( param , H 1 , H 2 , G 0 , G 1 , G 2 , G 3 , G 4 , g T , g 4 ) . [ Formula ⁢ ⁢ 168 ]

The process of the ASetup algorithm executed by the key generation device 100 will be described with reference to FIG. 19. As described above, the ASetup algorithm may be executed by all of the plurality of key generation devices 100, or only some of the plurality of key generation devices 100.

(S601: Information Input Step)

With the input device, the information input part 130 takes as input the identification information t assigned to itself (its key generation device 100). Note that different identification information t are assigned to the respective key generation devices 100.

For example, with the communication device, the information input part 130 acquires the global parameter gparam via the network. If this information input part 130 belongs to the key generation device 100 that has generated the global parameter gparam, the information input part 130 may read the global parameter gparam from the master key generation part 120.

(S602: Space Generation Step)

With the processing device, the authority secret key generation part 112 executes the algorithm G_(dpvs) by taking as input the security parameter λ (1^(λ)), N_(t)=2n_(t)+2+u_(t)+w_(t)+z_(t), and the values of param_(G):=(q, G, G_(T), g, e), to generate the values of a parameter param_(Vt):=(q, V_(t), G_(T), A_(t), e) of the dual pairing vector spaces.

Note that n_(t), u_(t), w_(t), and z_(t) are each an integer of 1 or more.

(S603) Basis U Generation Step)

With the processing device, the authority secret key generation part 112 generates a basis U_(t) for each integer l=1, . . . , 4, as indicated in Formula 169.

l ⁢ ⁢ := ⁢ ⁢ ( u l , 1 , … , u l , N t ) , ⁢ where ⁢ ⁢ u l , i ⁢ ⁢ := ⁢ ⁢ ( 0 , … , 0 , ︷ i - 1 ⁢ G l , 0 , … , 0 ︷ N t - i ) ⁢ ⁢ for ⁢ ⁢ l = 0 , … , 4 ; i = 1 , … , N t [ Formula ⁢ ⁢ 169 ]

(S604: Linear Transformation Generation Step)

With the processing device, the authority secret key generation part 112 takes as input n_(t)+u_(t)+w_(t)+z_(t), and F_(q), and generates linear transformation X_(t):=(χ_(t,i,j))_(i,j) randomly, as indicated in Formula 170.

$\begin{matrix} {X_{t}\overset{\bigcup}{\leftarrow}{{GL}\left( {N_{t},{\mathbb{F}}_{q}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 170} \right\rbrack \end{matrix}$

(S605: Basis B Generation Step)

With the processing device, the authority secret key generation part 112 generates a basis B_(t) and a basis B*_(t), as indicated in Formula 171. (

_(t),

_(t)*):=(X _(t))(

₀),(X _(t) ^(T))⁻¹(

₁))  [Formula 171]

The authority secret key generation part 112 determines π, π′ and μεF_(q), as values that satisfy G₂=πG₁, G₃=π′G₁, and G₃=μG_(t). Then, Formula 172 is established. (π

_(t)*,π′

_(t)*,μ

_(t)*)=((X _(t) ^(T))⁻¹(

₂),(X _(t) ^(T))⁻¹(

₃),(X _(t) ^(T))⁻¹(

₄))  [Formula 172]

(S606: Basis B^ Generation Step)

With the processing device, the authority secret key generation part 112 generates a subbasis BA_(t) of the basis B_(t) and a subbasis BA*_(t) of the basis B* as indicated in Formula 173.

_(t):=(b _(t,1) , . . . ,b _(t,2n) _(t) ₊₂ ,b _(t,2n) _(t) _(+2+u) _(t) _(+w) _(t) ₊₁ , . . . b _(t,2n) _(t) _(+2+u) _(t) _(+w) _(t) _(+z) _(t) ),

_(t)*:=(π(b _(t,1) *, . . . ,b _(t,n) _(t) *),π′(b _(t,n) _(t) ₊₁ *, . . . ,b _(t,2n) _(t) *),μ(b _(t,2n) _(t) ₊₁ *,b _(t,2n) _(t) ₊₂*),b _(t,2n) _(t) _(+2+u) _(t) ₊₁ , . . . ,b _(t,2n) _(t) _(+2+u) _(t) _(+w) _(t) )  [Formula 173]

(S607: Master Key Storing Step)

The master key storage part 120 stores the parameter param_(Vt) generated in (S602), and the subbasis B^_(t) and the subbasis B^*_(t) generated in (S606), in the storage device as an authority public parameter apk_(t). The master key storage part 120 also stores the linear transformation X_(t) generated in (S604), in the storage device as the authority secret key ask_(t).

In brief, from (S601) through (S606), the key generation device 100 generates the authority public parameter apk_(t) and the authority secret key ask_(t) by executing the ASetup algorithm indicated in Formula 174. Then, in (S607), the key generation device 100 stores the generated authority public parameter apk_(t) and authority secret key ask_(t), in the storage device.

Note that the authority public parameter apk_(t) is publicized via, e.g., a network, so that the signature device 200 and the verification device 300 can acquire it.

ASetup ⁡ ( gparam , t ) ⁢ : ⁢ ⁢ N t ⁢ ⁢ := ⁢ ⁢ 2 ⁢ n t + 2 + u t + w t + z t , ⁢ param t ⁢ ⁢ := ⁢ ⁢ ( q , 𝕍 t , 𝔾 T , 𝔸 t , e ) ⁢ ⁢ := ⁢ ⁢ ⁢ ⁢ 𝒢 dpvs ( 1 λ , N t , param ) , ⁢ l ⁢ ⁢ := ⁢ ⁢ ( u l , 1 , … , u l , N t ) , ⁢ where ⁢ ⁢ u l , i ⁢ ⁢ := ⁢ ⁢( 0 , … , 0 , ︷ i - 1 ⁢ G l , 0 , … , 0 ︷ N t - i ) ⁢ ⁢ for ⁢ ⁢ l = 0 , … , 4 ; i = 1 , … , N t , ⁢ X t ⁢ ← ⋃ ⁢ GL ( N t , 𝔽 q ) ⁢ ( 𝔹 t , 𝔹 t * ) ⁢ := ⁢ ( X t ⁡ ( 𝕌 0 ) , ⁢ ( X t T ) - 1 ⁢ ( 𝕌 1 ) ) , ⁢ Let ⁢ ⁢ π , π ′ , μ ∈ 𝔽 q ⁢ ⁢ s . t . ⁢ ⁢ ⁢ G 2 = π ⁢ ⁢ G 1 , G 3 = π ′ ⁢ G 1 , G 4 = μ ⁢ ⁢ G 1 , ⁢ then ⁢ ⁢ ( π𝔹 t * , π ′ ⁢ 𝔹 t * , μ𝔹 t * ) = ⁢ ( ( X t T ) - 1 ⁢ ( 𝕌 2 ) , ( X t T ) - 1 ⁢ ( 𝕌 3 ) , ( X t T ) - 1 ⁢ ( 𝕌 4 ) ) , ⁢ ^ t ⁢ ⁢ := ⁢ ⁢ ( b t , 1 , … , b t , 2 ⁢n t + 2 , b t , 2 ⁢ n t + 2 + u t + w t + 1 , … , ⁢ b t , 2 ⁢ n t + 2 + u t + w t + z t ) , ⁢ ^ t * ⁢ ⁢ := ⁢ ⁢ ( π ⁡ ( b t , 1 * , … , b t , n t * ) , π ′ ⁡ ( b t , n t + 1 * , … , b t , 2 ⁢ n t * ) , ⁢ μ ⁡ ( b t , 2 ⁢ n t + 1 * , b t , 2 ⁢ n t + 2 * ) , ⁢ b t , 2 ⁢ n t + 2 + u t + 1 , … , b t , 2 ⁢ n t + 2 + u t + w t ) , ⁢ ask t ⁢ ⁢ := ⁢ ⁢ X t , apk t ⁢ ⁢ := ⁢ ⁢ ( param t , ^ t , ^ t * ) ,  ⁢ return ⁢ ⁢ ( ask t , apk t ) . [ Formula ⁢ ⁢ 174 ]

The process of the AttrGen algorithm executed by the key generation device 100 will be described with reference to FIG. 20. Note that, as described above, the AttrGen algorithm is executed by the key generation device 100, among the plurality of key generation devices 100, that has executed the ASetup algorithm.

(S701: Information Input Step)

With the input device, the information input part 130 takes as input the identification information t assigned to itself (its key generation device 100), the identification information gid of the user whom the signing key is to be issued for, and the attribute information x^(→) _(t):=(i=1, . . . , n_(t)).

For example, with the communication device, the information input part 130 also acquires the global parameter gparam via the network. If this information input part 130 belongs to the key generation device 100 that has generated the global parameter gparam, the information input part 130 may read the global parameter gparam from the master key storage part 120.

The information input part 130 also reads the authority secret key ask_(s) from the master key storage part 120.

(S702: Random Number Generation Step)

With the processing device, the random number generation part 141 generates a random number φ^(→) _(t,j) for the identification information t and each integer j=1, 2, as indicated in Formula 175.

φ ⇀ t , j ⁢ ⁢ := ⁢ ⁢ ( φ t , j , 1 , … , φ t , j , w t ) ⁢ ← ⋃ ⁢ q w t , for ⁢ ⁢ j = 1 , 2 , [ Formula ⁢ ⁢ 175 ]

(S703: Key Element Generation Step)

Assume that Formula 176 is established. G _(gid,j)(=δ_(j) G ₁):=H ₁(j,gid)ε

  [Formula 176]

With the processing device, the key element generation part 145 generates a key element k*_(t,j), which is an element of the signing key usk_(gid,(t,xt)), for the identification information t and each integer j=1, 2, as indicated in Formula 177.

k t , j * ⁢ ⁢ := ⁢ ⁢ ( X t T ) - 1 ⁢ ( ( G gid , j + G 1 ) ⁢ x ⇀ t , - x ⇀ t ⁢ G gid , j , ⁢ 0 2 + u t , φ t , j , 1 ⁢ G 1 , … , φ t , j , w t ⁢ G 1 , 0 z t ) ⁢ ⁢ i . e . , k t , j * ⁢ ⁢ := ⁢ ⁢ ⁢ ⁢ ( ( δ j + 1 ) ⁢ ( x t , 1 , … , x t , n t ) , ︷ n t ⁢ ⁢ - δ j ⁢ ( x t , 1 , … , x t , n t ) , ︷ n t ⁢ 0 2 , ︷ 2 ⁢0 u t , ︷ u t ⁢ ⁢ φ t , j , 1 , … , φ t , j , w t , ︷ w t ⁢ 0 z t ︷ z t ) t * , ⁢ for ⁢ ⁢ j = 1 , 2 [ Formula ⁢ ⁢ 177 ]

As described above, for the bases B and B* indicated in Formula 113, Formula 114 is established. Hence, Formula 177 means that the coefficient for the basis vector of a basis B*_(t) is set as described below. For the purpose of simple representation, a basis vector b*_(t,i) is specified only by its i portion. For example, a basis vector 1 signifies a basis vector b*_(t,1). Basis vectors 1, . . . , 3 signify basis vectors b*_(t,1), . . . , b*_(1,3), respectively.

(δ_(j)+1)x_(t,1), . . . , (δ_(j)+1)x_(t,nt) (where nt represents n_(t)) are each set as the coefficient for the basis vectors 1, . . . , n_(t). δ_(j)x_(t,1), . . . , −δ_(j)x_(t,nt) (where nt represents n_(t)) are each set as the coefficient for the basis vectors n_(t)+1, . . . , 2n_(t). 0 is set as the coefficient for basis vectors 2n_(t)+1, . . . , 2n_(t)+2+u_(t). Random numbers φ_(t,j,1), . . . , φ_(t,j,wt) (where wt represents w_(t)) are each set as the coefficient for basis vectors 2n_(t)+2+u_(t)+1, . . . , 2n_(t)+2+u_(t)+w_(t). 0 is set as the coefficient for basis vectors 2n_(t)+2+u_(t)+w_(t)+1, . . . , 2n_(t)+2+u_(t)+w_(t)+z_(t).

(S704: Key Distribution Step)

For example, with the communication device, the key distribution part 150 distributes the signing key usk_(gid,(t,xt)), constituted as elements by the user identification information gid, the identification information t and the attribute information x^(→) _(t), and the key element k*_(t,j), to the signature device 200 in secrecy via the network. As a matter of course, the signing key usk_(gid,(t,xt)) may be distributed to the signature device 200 by another method.

In brief, from (S701) through (S703), the key generation device 100 generates the signing key usk_(gid,(t,xt)) by executing the AttrGen algorithm indicated in Formula 178. In (S704), the key generation device 100 distributes the generated signing key usk_(gid,(t,xt)) to the signature device 200.

AttrGen ( gparam , t , ask t , gid , x → t := ( x t , 1 , … ⁢ , x t , n t ) ∈ 𝔽 q ) ⁢ : ⁢ ⁢ ⁢ G gid , j ⁡ ( = δ j ⁢ G 1 ) := H 1 ⁡ ( j , gid ) ∈ 𝔾 , ⁢ ⁢ φ → t , j ⁢ ⟵ U ⁢ ⁢ 𝔽 q w t , for ⁢ ⁢ j = 1 , 2 , ⁢ k t , j * := k t , j * := ( X t T ) - 1 ⁢ ( ( G gid , j + G 1 ) ⁢ x → t , - x → , G gid , j , 0 2 + u t , φ t , j , 1 ⁢ G 1 , … ⁢ , φ t , j , w t ⁢ G 1 , 0 z t ) ⁢ ⁢ i . e . , k t , j * := ( ( δ j + 1 ) ⁢ ( x t , 1 , … ⁢ , x t , n t ) , ︷ n t ⁢ - δ j ⁢ ( x t , 1 , … ⁢ , x t , n t ) , ︷ n t ⁢ 0 2 , ︷ 2 ⁢ 0 u t , ︷ u t ⁢ φ t , j , 1 , … ⁢ , φ t , j , w t , ︷ w t ⁢ 0 z t ︷ z t ⁢ t * , ⁢ ⁢ for ⁢ ⁢ j = 1 , 2 , ⁢ ⁢ return ⁢ ⁢ ( usk gid , ( t , x t ) := ( gid , ( t , x → t ) , { k t , j * } j = 1 , 2 ) ) . [ Formula ⁢ ⁢ 178 ]

The function and operation of the signature device 200 will be described.

As shown in FIG. 16, the signature device 200 is provided with a signing key acquisition part 210, an information input part 220 (second information input part), a span program calculation part 230, a complementary coefficient calculation part 240, a signature data generation part 250, and a signature data transmission part 260 (signature data output part).

The information input part 220 is provided with a predicate information input part 221 and a message input part 222. The signature data generation part 250 is provided with a random number generation part 251 and a signature element generation part 255.

The process of the Sig algorithm executed by the signature device 200 will be described with reference to FIG. 21.

(S801: Signing Key Acquisition Step)

For example, with the communication device, the signing key acquisition part 210 acquires the signing key usk_(gid(t,xt)) generated by each key generation device 100, via the network. The signing key acquisition part 210 also acquires the public parameter gparam generated by the key generation device 100.

(S802: Information Input Step)

With the input device, the predicate information input part 221 takes as input the access structure S:=(M, ρ). The matrix M is a matrix of L rows×r columns. L and r are each an integer of 1 or more.

With the input device, the message input part 220 takes as input the message m to be signed.

The matrix M of the access structure S is to be set depending on the condition of the system to be implemented.

(S803: Span Program Calculation Step)

With the processing device, the span program calculation part 230 checks whether or not the access structure S inputted in (S802) accepts the set Γ of the attribute information x^(→) _(t) included in the signing key usk_(gid,(t,xt)) acquired in (S801).

The method of checking whether or not the access structure accepts the attribute set is the same as that described in “3. Concept for Implementing Attribute-Based Signature Scheme” in Embodiment 1.

If the access structure S accepts the attribute set Γ (accept in S803), the span program calculation part 230 advances the process to (S804). If the access structure S rejects the set Γ of the attribute information x^(→) _(t) (reject in S803), the span program calculation part 230 ends the process.

(S804: Complementary Coefficient Calculation Step)

With the processing device, the complementary coefficient calculation part 430 calculates I and a constant (complementary coefficient) α_(i) for each integer i included in I, which I and α_(d) satisfying Formula 179. {right arrow over (1)}:=_(iεI)α_(i) M _(i), and I⊂{iε{1, . . . ,L}|[ρ(i)=(t,{right arrow over (v)} _(i))

(t,{right arrow over (x)} _(t))εΓ

{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)=0]

[ρ(i)=

(t,{right arrow over (v)} _(i))

(t,{right arrow over (x)} _(t))εΓ

{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)≠0]}  [Formula 179]

Note that M_(i) signifies the i-th row of the matrix M.

(S805: Random Number Generation Step)

With the processing device, the random number generation part 251 generates random numbers ξ₁ and ξ₂, and random numbers β_(i) and β_(i)′ (i=1, . . . , L), as indicated in Formula 180.

ξ 1 , ξ 2 ⁢ ⟵ 𝔽 U ⁢ q , ⁢ ( β i ) , ( β i ′ ) ⁢ ⟵ U ⁢ { ( β 1 , … ⁢ , β L ) | ∑ i = 1 L ⁢ β i ⁢ M i = 0 → } [ Formula ⁢ ⁢ 180 ]

(S806: Signature Element Generation Step)

With the processing device, the signature element generation part 255 generates a signature element s*_(i) which is an element of the signature data σ, for each integer i=1, . . . , L, as indicated in Formula 181.

$\begin{matrix} {{s_{i}^{*}:={{\gamma_{i} \cdot \left( {{\xi_{1}k_{t,1}^{*}} + {\left( {1 - \xi_{1}} \right)k_{t,2}^{*}}} \right)} + {\sum\limits_{\iota = 1}^{n_{t}}{y_{i,\iota}\left( {\pi\; b_{t,\iota}^{*}} \right)}} + {\sum\limits_{\iota = 1}^{n_{t}}{y_{i,\iota}^{\prime}\left( {\pi^{\prime}b_{t,{n_{t} + \iota}}^{*}} \right)}} + {\xi_{2}\left( {\left( {\mu\; b_{t,{{2n_{t}} + 1}}^{*}} \right) + {{H_{2}\left( {m,{\mathbb{S}}} \right)}\left( {\mu\; b_{t,{{2n_{t}} + 2}}^{*}} \right)}} \right)} + r_{i}^{*}}},\mspace{20mu}{{{for}\mspace{14mu} 1} \leq i \leq L}} & \left\lbrack {{Formula}\mspace{14mu} 181} \right\rbrack \end{matrix}$

Note that r*_(i) is defined by Formula 182 (see Formulas 110 through 112 and their explanations).

$\begin{matrix} {{r_{i}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{t,{{2n_{t}} + 2 + u_{t} + 1}}^{*},\ldots\mspace{14mu},b_{t,{{2n_{t}} + 2 + u_{t} + w_{t}}}^{*}} \right\rangle} & \left\lbrack {{Formula}\mspace{14mu} 182} \right\rbrack \end{matrix}$

Note that γ_(j), y^(→) _(i):=(y_(i,i′)) (i′=1, . . . , n_(t)), and y′^(→) _(i):=(y′_(i,i′)) (i′=1, . . . , n_(t)) are defined by Formula 183.

$\begin{matrix} {{{{{if}\mspace{14mu} i} \in {I\bigwedge{\rho(i)}}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},{\gamma_{i}:=\alpha_{i}},{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},{{\overset{\rightarrow}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i}^{\prime} \middle| {{\overset{\rightarrow}{y}}_{i}^{\prime} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = {{0\bigwedge y_{i,1}^{\prime}} = \beta_{i}^{\prime}}} \right\}},{{{{if}\mspace{14mu} i} \in {I\bigwedge{\rho(i)}}} = {⫬ {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}}},{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}}},{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = \beta_{i}} \right\}},{{\overset{\rightarrow}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i}^{\prime} \middle| {{\overset{\rightarrow}{y}}_{i}^{\prime} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = \beta_{i}^{\prime}} \right\}},{{{{if}\mspace{14mu} i} \notin {I\bigwedge{\rho(i)}}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},{\gamma_{i}:=0},{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},{{\overset{\rightarrow}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i}^{\prime} \middle| {{\overset{\rightarrow}{y}}_{i}^{\prime} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = {{0\bigwedge y_{i,1}^{\prime}} = \beta_{i}^{\prime}}} \right\}},{{{{if}\mspace{14mu} i} \notin {I\bigwedge{\rho(i)}}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},{\gamma_{i}:=0},{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = \beta_{i}} \right\}},{{\overset{\rightarrow}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i}^{\prime} \middle| {{\overset{\rightarrow}{y}}_{i}^{\prime} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = \beta_{i}^{\prime}} \right\}}} & \left\lbrack {{Formula}\mspace{14mu} 183} \right\rbrack \end{matrix}$

(S807: Data Transmission Step)

For example, with the communication device, the signature data transmission part 260 transmits the signature data σ, including the signature element s*_(i) (i=1, . . . , L), the message rn, the access structure S:=(M, ρ), and g₀:=g₄ ^(ξ2) (where ξ2 represents ξ₂), to the verification device 300 via the network. As a matter of course, the signature data σ may be transmitted to the verification device 300 by another method.

In brief, from (S801) through (S806), the signature device 200 generates the signature data σ by executing the Sig algorithm indicated in Formula 184. In (S807), the signature device 200 distributes the generated signature data σ to the verification device 300.

$\begin{matrix} {{Sig}\left( {{g\;{param}},{{\left\{ {{apk}_{t},{{usk}_{{gid},{({t,x_{t}})}}:=\left( {{gid},\left( {t,{\overset{\rightarrow}{x}}_{t}} \right),\left\{ k_{t,j}^{*} \right\}_{{j = 1},2}} \right\}},\mspace{79mu} m,{{\mathbb{S}}:=\left( {M,\rho} \right)}} \right){If}\mspace{14mu}{\mathbb{S}}}:={{\left( {M,\rho} \right)\mspace{14mu}{accepts}\mspace{14mu}\Gamma}:=\left\{ {\left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \in {usk}_{{gid},{({t,x_{t}})}}} \right\}}},\mspace{20mu}{{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}}\mspace{20mu}{\overset{\rightarrow}{1}:={\sum\limits_{i \in I}{\alpha_{i}M_{i}\mspace{14mu}{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M}}}},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{20mu},L} \right\}} \middle| {\quad{{\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left. \quad\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack \right\}},\mspace{20mu}\xi_{1},{\xi_{2}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},\left( \beta_{i} \right),\mspace{79mu}{\left( \beta_{i}^{\prime} \right)\overset{U}{\longleftarrow}\left\{ {\left. \left( {\beta_{1},\ldots\mspace{14mu},\beta_{L}} \right) \middle| {\sum\limits_{i = 1}^{L}{\beta_{i}M_{i}}} \right. = \overset{\rightarrow}{0}} \right\}},\mspace{20mu}{g_{0}:=g_{4}^{\xi_{2}}},{s_{i}^{*}:={{\gamma_{i} \cdot \left( {{\xi_{1}k_{t,1}^{*}} + {\left( {1 - \xi_{1}} \right)k_{t,2}^{*}}} \right)} + {\sum\limits_{t = 1}^{n_{t}}{y_{i,\iota}\left( {\pi\; b_{t,\iota}^{*}} \right)}} + {\sum\limits_{\iota = 1}^{n_{t}}{y_{i,\iota}^{\prime}\left( {\pi^{\prime}b_{t,{n_{t} + \iota}}^{*}} \right)}} + {\xi_{2}\left( {\left( {\mu\; b_{t,{{2n_{t}} + 1}}^{*}} \right) + {{H_{2}\left( {m,{\mathbb{S}}} \right)}\left( {\mu\; b_{t,{{2n_{t}} + 2}}^{*}} \right)}} \right)} + r_{i}^{*}}},\mspace{20mu}{{{for}\mspace{14mu} 1} \leq i \leq L},\mspace{79mu}{{where}\mspace{14mu}\mspace{20mu}{r_{i}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{t,{{2n_{t}} + 2 + u_{t} + 1}}^{*},\ldots\mspace{14mu},b_{t,{{2n_{t}} + 2 + u_{t} + w_{t}}}^{*}} \right\rangle},\mspace{20mu}{{and}\mspace{14mu}\gamma_{i}},{{\overset{\rightarrow}{y}}_{i}:=\left( {y_{i,1},\ldots\mspace{14mu},y_{i,n_{t}}} \right)},\mspace{20mu}{{\overset{\rightarrow}{y}}_{i}^{\prime}:={{{\left( {y_{i,1}^{\prime},\ldots\mspace{14mu},y_{i,n_{t}}^{\prime}} \right)\mspace{14mu}{are}\mspace{14mu}{defined}\mspace{14mu}{as}\mspace{20mu}{if}\mspace{14mu} i} \in {I\bigwedge{\rho(i)}}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},{\gamma_{i}:=\alpha_{i}},\mspace{20mu}{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},\mspace{20mu}{{\overset{\rightarrow}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i}^{\prime} \middle| {{\overset{\rightarrow}{y}}_{i}^{\prime} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = {{0\bigwedge y_{i,1}^{\prime}} = \beta_{i}^{\prime}}} \right\}},\mspace{20mu}{{{{if}\mspace{14mu} i} \in {I\bigwedge{\rho(i)}}} = {⫬ {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}}},\mspace{20mu}{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}}},\mspace{20mu}{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = \beta_{i}} \right\}},\mspace{20mu}{{\overset{\rightarrow}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i}^{\prime} \middle| {{\overset{\rightarrow}{y}}_{i}^{\prime} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = \beta_{i}^{\prime}} \right\}},\mspace{20mu}{{{{if}\mspace{14mu} i} \notin {I\bigwedge{\rho(i)}}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},\mspace{20mu}{\gamma_{i}:=0},\mspace{20mu}{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},\mspace{20mu}{{\overset{\rightarrow}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i}^{\prime} \middle| {{\overset{\rightarrow}{y}}_{i}^{\prime} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = {{0\bigwedge y_{i,1}^{\prime}} = \beta_{i}^{\prime}}} \right\}},\mspace{20mu}{{{{if}\mspace{14mu} i} \notin {I\bigwedge{\rho(i)}}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu}{\gamma_{i}:=0},\mspace{20mu}{{\overset{\rightarrow}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = \beta_{i}} \right\}},\mspace{20mu}{{\overset{\rightarrow}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i}^{\prime} \middle| {{\overset{\rightarrow}{y}}_{i}^{\prime} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = \beta_{i}^{\prime}} \right\}},\mspace{20mu}{{{return}\mspace{14mu}{\overset{\rightarrow}{s}}^{*}}:={\left( {s_{0}^{*},\ldots\mspace{14mu},s,g_{0}} \right).}}}} \right.}} \right.} & \left\lbrack {{Formula}\mspace{14mu} 184} \right\rbrack \end{matrix}$

The function and operation of the verification device 300 will be described.

As shown in FIG. 17, the verification device 300 is provided with a public parameter acquisition part 310, a data reception part 320 (data acquisition part), a verification key generation part 330, and a pairing operation part 340.

The verification key generation part 330 is provided with a random number generation part 331, an f vector generation part 332, an s vector generation part 333, and a verification element generation part 337.

The process of the Ver algorithm executed by the verification device 300 will be described with reference to FIG. 22.

(S901: Public Parameter Acquisition Step)

For example, with the communication device, the public parameter acquisition part 310 acquires the global parameter gparam and authority public parameter apk_(t) generated by each key generation device 100, via the network.

(S902: Signature Data Reception Step)

For example, with the communication device, the data reception part 320 receives the signature data σ transmitted by the signature device 200, via the network.

(S903: f Vector Generation Step)

With the processing device, the f vector generation part 332 generates a vector f^(→) having r pieces of elements, randomly as indicated in Formula 185.

$\begin{matrix} {\overset{\rightarrow}{f}\overset{\; U\;}{\longleftarrow}{\mathbb{F}}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 185} \right\rbrack \end{matrix}$

(S904: s Vector Generation Step)

With the processing device, the s vector generation part 333 generates a vector s^(→T) as indicated in Formula 186, based on the (L rows×r columns) matrix M of the access structure S included in the signature data σ received in (S902), and the vector f^(→) generated in (S403) and having r pieces of elements, x. {right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrow over (f)} ^(T)  [Formula 186]

With the processing device, the s vector generation part 333 generates a value s₀, based on the vector f^(→) generated in (S903), as indicated in Formula 187. Note that 1^(→) is a vector which has a value 1 in all its elements. s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 187]

(S905: f Vector Generation Step)

With the processing device, the f vector generation part 332 generates a vector f^(→)′ having r pieces of elements, randomly as indicated in Formula 188.

$\begin{matrix} {{{\overset{\rightarrow}{f}}^{\prime}\overset{R}{\longleftarrow}{\mathbb{F}}_{q}^{r}},{{s.t.\mspace{14mu} s_{0}} = {\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{\prime\; T}}}} & \left\lbrack {{Formula}\mspace{14mu} 188} \right\rbrack \end{matrix}$

(S906: s′ Vector Generation Step)

With the processing device, the s vector generation part 333 generates a vector (s^(→)′)^(T), based on the (L rows×r columns) matrix M and the vector f^(→)′ having r pieces of elements, as indicated in Formula 189. {right arrow over (s)}′ ^(T):=(s ₁ ′, . . . ,s _(L)′)^(T) :=M·{right arrow over (f)}′ ^(T)  [Formula 189]

(S907: Random Number Generation Step)

With the processing device, the random number generation part 331 generates a random number σ^(→) and a value σ₀, as indicated in Formula 190.

$\begin{matrix} {{\overset{\rightarrow}{\sigma}:={\left( {\sigma_{1},\ldots\mspace{14mu},\sigma_{L}} \right)\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{L}}},{\sigma_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{\sigma}}^{T}}}} & \left\lbrack {{Formula}\mspace{14mu} 190} \right\rbrack \end{matrix}$

(S908: Verification Element Generation Step)

With the processing device, the verification element generation part 337 generates a verification element which is an element of the verification key, for each integer i=1, . . . , L, as indicated in Formula 191.

⁢for ⁢ ⁢ 1 ≤ i ≤ L , ⁢ ⁢ if ⁢ ⁢ ρ ⁡ ( i ) = ( t , v → i ) , ⁢ ⁢ θ i , θ i ′ , θ i ″ ⁢ ⟵ U ⁢ 𝔽 q , η → i := ( η i , 1 , … ⁢ , η i , z t ) ⁢ ⟵ U ⁢ 𝔽 q z t ⁢ ⁢ c i := ( s i + θ i ⁢ v i , 1 , θ i ⁢ v i , 2 , … ⁢ , θ i ⁢ v i , n t , ︷ n t ⁢ s i ′ + θ i ′ ⁢ v i , 1 , θ i ′ ⁢ v i , 2 , … ⁢ , θ i ′ ⁢ v i , n t ︷ n t , σ i - θ i ″ ⁢ H 2 ⁡ ( m , 𝕊 ) , θ i ″ , ︷ 2 ⁢ 0 u t , ︷ u t ⁢ 0 w t , ︷ w t ⁢η i ⁢ ⁢ 1 , … ⁢ , η i , z t ︷ z t ⁢ t - , ⁢ ⁢ if ⁢ ⁢ ρ ⁡ ( i ) = ⫬ ( t , v → i ) , ⁢ ⁢ θ i ″ ⁢ ⟵ U ⁢ q , η → i := ( η i , 1 , … ⁢ , η i , z t ) ⁢ ⟵ U ⁢ 𝔽 q z t , ⁢ c i := ( s i ⁡ ( v i , 1 , … ⁢ , v i , n t ) , ︷ n t ⁢ s i ′ ⁡ ( v i , 1 , … ⁢ , v i , n t ) ︷ n t , σ i - θ i ″ ⁢ H 2 ⁡ ( m , 𝕊 ) , θ i ″ , ︷ 2 ⁢ 0 u t , ︷ u t ⁢ 0 w t , ︷ w t ⁢ η i ⁢ ⁢ 1 , … ⁢ , η i , z t ︷ z t ⁢ t [ Formula ⁢ ⁢ 191 ]

As described above, Formula 114 is established for the bases B and B* indicated in Formula 113. Hence, Formula 191 means that the coefficient for the basis vector of the basis B_(t) is set as described below. For the purpose of simple representation, a basis vector b_(t,i) is specified only by its i portion. For example, a basis vector 1 signifies a basis vector b_(t,1). Basis vectors 1, . . . , 3 signify basis vectors b_(t,1), . . . , b_(t,3), respectively.

When ρ(i) is a positive tuple (t, v^(→) _(i)), s_(i)+θ_(i)v_(i,1) is set as the coefficient for the basis vector 1. θ_(i)c_(i,2), . . . , θ_(i)v_(i,nt) (where nt represents n_(t)) are each set as the coefficient for basis vectors 2, . . . , n_(t). s_(i)′+θ_(i)′v_(i,1) is set as the coefficient for a basis vector n_(t)+1. θ_(i)′v_(i,2), . . . , θ_(i)′v_(i,nt) (where nt represents n_(t)) are each set as the coefficient for basis vectors n_(t)+2, . . . , 2n_(t). σ_(i)−θ_(i)″H₂(m, S) is set as the coefficient for a basis vector 2n_(t)+1. Note that H₂(m, S) means that the message m and the access structure S are given as input to the hash function H₂. For example, H₂(m∥S) may be possible. θ_(i)″ is set as the coefficient for a basis vector 2n_(t)+2. 0 is set as the coefficient for basis vectors 2n_(t)+2+1, . . . , 2n_(t)+2+u_(t)+w_(t). η_(i,1), . . . , η_(i,zt) (where zt represents z_(t)) are each set as the coefficient for basis vectors 2n_(t)+2+u_(t)+w_(t)+1, . . . , 2n_(t)+2+u_(t)+w_(t)+z_(t).

When ρ(i) is a negative tuple

(t, v^(→) _(i)), s_(i)v_(i,1), . . . , s_(i)v_(i,nt) (where nt represents n_(t)) are each set as the coefficient for the basis vectors 1, . . . , n_(t). s_(i)′v_(i,1), . . . ,s_(i)′v_(i,nt) (where nt represents n_(t)) are each set as the coefficient for basis vectors n_(t)+1, . . . , 2n_(t). σ_(i)−θ_(i)″H₂(m, S) is set as the coefficient for the basis vector 2n_(t)+1. θ_(i)″ is set as the coefficient for the basis vector 2n_(t)+2. 0 is set as the coefficient for the basis vectors 2n_(t)+2+1, . . . , 2n_(t)+2+u_(t)+w_(t). η_(i,1), . . . , η_(i,zt) (where zt represents z_(t)) are each set as the coefficient for the basis vectors 2n_(t)+2+u_(t)+w_(t)+1, . . . , 2n_(t)+2+u_(t)+w_(t)+z_(t).

(S909: Pairing Operation Step)

With the processing device, the pairing operation part 340 conducts a pairing operation indicated in Formula 192. Π_(i=1) ^(L) e(c _(i) s _(i)*)  [Formula 192]

If the calculation result of the pairing operation indicated in Formula 192 is a value g_(T) ^(s0)g₀ ^(σ0) (where s0 represents s₀ and σ0 represents σ₀), the pairing operation part 340 outputs value 1 indicating success of the signature verification; otherwise value 0 indicating failure of the signature verification.

If the signature data σ is authentic, as the consequence of calculating Formula 192, value 1 is obtained, as indicated in Formula 193.

$\begin{matrix} {{\prod\limits_{i = 1}^{L}\;{e\left( {c_{i},s_{i}^{*}} \right)}} = {\prod\limits_{i \in I}\;{{e\left( {c_{i},k_{t,1}^{*}} \right)}\gamma_{i}{\xi_{1} \cdot {\prod\limits_{i \in I}\;{{e\left( {c_{i},k_{t,2}^{*}} \right)}{{\gamma_{i}\left( {1 - \xi_{1}} \right)} \cdot {\prod\limits_{i = 1}^{L}\;{\overset{n_{t}}{\prod\limits_{\iota = 1}}{{e\left( {c_{i},b_{t,\iota}^{*}} \right)}^{{\pi\gamma}_{i,t}} \cdot {\prod\limits_{i = 1}^{L}\;{\overset{n_{t}}{\prod\limits_{\iota = 1}}{{e\left( {c_{i},b_{t,{n_{t} + \iota}}^{*}} \right)}^{\pi^{\prime}\gamma_{i,t}^{\prime}} \cdot {\prod\limits_{i = 1}^{L}{{e\left( {c_{i},b_{t,{{2n_{t}} + 1}}^{*}} \right)}\xi_{2}{\mu \cdot {\prod\limits_{i = 1}^{L}{e{\quad{\left( {c_{i},b_{t,{{2n_{t}} + 2}}^{*}} \right)\xi_{2}\mu\; H_{2}{\quad{\left( {m,{\mathbb{S}}} \right) = {{\prod\limits_{i \in I}{g_{T}^{\alpha_{i}s_{i}} \cdot \;{\overset{L}{\prod\limits_{i = 1}}{g_{T}^{{\pi\beta}_{i}s_{i}} \cdot {\prod\limits_{i = 1}^{L}\;{g_{T}^{\pi^{\prime}\beta_{i}^{\prime}s_{i}} \cdot {\prod\limits_{i = 1}^{L}\; g_{T}^{\xi_{2}\mu\;\sigma_{i}}}}}}}}} = {{g_{T}^{s_{0}} \cdot 1 \cdot 1 \cdot g_{4}^{\xi_{2}\sigma_{0}}} = {g_{T}^{s_{0}} \cdot g_{0}^{\sigma_{0}}}}}}}}}}}}}}}}}}}}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 193} \right\rbrack \end{matrix}$

In brief from (S901) through (S909), the verification device 300 verifies the signature data σ by executing the Ver algorithm indicated in Formula 194.

$\begin{matrix} {\mspace{79mu}{{{Ver}\left( {{g\;{param}},{apk}_{t},m,{{\mathbb{S}}:=\left( {M,\rho} \right)},{\overset{\rightarrow}{s}}^{*}} \right)}{{\overset{\rightarrow}{f}\overset{\; U\;}{\longleftarrow}{\mathbb{F}}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots\mspace{20mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\mspace{20mu}{{\overset{\rightarrow}{f}}^{\prime}\overset{R}{\longleftarrow}{\mathbb{F}}_{q}^{r}},{{s.t.\mspace{14mu} s_{0}} = {{\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{\prime}}T}},\mspace{20mu}{{\overset{\rightarrow}{s}}^{\prime\; T}:={\left( {s_{1}^{\prime},\ldots\mspace{14mu},s_{L}^{\prime}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{\prime\; T}}}},\mspace{20mu}{\overset{\rightarrow}{\sigma}:={\left( {\sigma_{1},\ldots\mspace{14mu},\sigma_{L}} \right)\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{L}}},{\sigma_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{\sigma}}^{T}}},\mspace{20mu}{{{for}\mspace{14mu} 1} \leq i \leq L},\mspace{20mu}{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},\mspace{20mu}{{{if}\mspace{14mu} s_{i}^{*}} \notin {{\mathbb{V}}_{t}\mspace{14mu}{return}\mspace{14mu} 0}},\mspace{20mu}{{else}\mspace{14mu}\theta_{i}},\theta_{i}^{\prime},{\theta_{i}^{''}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{z_{i}}}}{{c_{i}:={\left( {{\overset{\overset{n_{t}}{︷}}{{s_{i} + {\theta_{i}v_{i,1}}},{\theta_{i}v_{i,2}},\ldots\mspace{14mu},{\theta_{i}v_{i,n_{t}}},}\overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime} + {\theta_{i}^{\prime}v_{i,1}}},{\theta_{i}^{\prime}v_{i,2}},\ldots\mspace{20mu},{\theta_{i}^{\prime}v_{i,n_{t}}}}},{\overset{2}{\overset{︷}{{\sigma_{i} - {\theta_{i}^{''}{H_{2}\left( {m,{\mathbb{S}}} \right)}}},\theta_{i}^{''},}}\overset{u_{t}}{\overset{︷}{0^{u_{t}},}}\overset{\overset{w_{t}}{︷}}{0^{w_{t}},}\overset{\overset{z_{t}}{︷}}{\eta_{i\; 1},\ldots\mspace{14mu},\eta_{i,z_{t}}}}} \right){\mathbb{B}}_{t}}},\mspace{20mu}{{{if}\mspace{20mu}{\rho(i)}} = {⫬ \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu}{{{if}\mspace{14mu} s_{i}^{*}} \notin {{\mathbb{V}}_{t}\mspace{14mu}{return}\mspace{14mu} 0}},\mspace{20mu}{{else}\mspace{14mu}{\theta_{i}^{''}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}},{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{z_{i}}}}{c_{i}:={\left( {{\overset{\overset{n_{t}}{︷}}{{s_{i}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},}\overset{\overset{n_{t}}{︷}}{s_{i}^{\prime}\left( {v_{i,1},\ldots\mspace{20mu},v_{i,n_{t}}} \right)}},{\overset{2}{\overset{︷}{{\sigma_{i} - {\theta_{i}^{''}{H_{2}\left( {m,{\mathbb{S}}} \right)}}},\theta_{i}^{''},}}\overset{u_{t}}{\overset{︷}{0^{u_{t}},}}\overset{\overset{w_{t}}{︷}}{0^{w_{t}},}\overset{\overset{z_{t}}{︷}}{\eta_{i\; 1},\ldots\mspace{14mu},\eta_{i,z_{t}}}}} \right){\mathbb{B}}_{t}}}{{{{return}\mspace{14mu} 1\mspace{14mu}{if}\mspace{14mu}{\prod\limits_{i = 1}^{L}\;{e\left( {c_{i},s_{i}^{*}} \right)}}} = {g_{T}^{s_{0}}g_{0}^{\sigma_{0}}}},{{return}\mspace{14mu} 0\mspace{14mu}{{otherwise}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 194} \right\rbrack \end{matrix}$

As described above, the signature processing system 10 according to Embodiment 2 implements the multi-authority attribute-based signature scheme in which the plurality of key generation devices 100 generate signing keys. In particular, the signature scheme implemented by the signature processing system 10 is a decentralized multi-authority attribute-based signature scheme with no central authority.

Note that the signature processing system 10 according to Embodiment 2 implements an attribute-based signature scheme with a non-monotone predicate, as the signature processing system 10 according to Embodiment 1 does.

The attribute-based signature scheme implemented by the signature processing system 10 according to Embodiment 2 is highly secure and satisfies privacy requirements.

In the above description, the dimensions u_(t), W_(t), and z_(t) (t=0, . . . , d) are provided to enhance the security. Therefore, if u_(t), w_(t), and z_(t) (t=1, . . . , d) are each set to 0, the dimensions u_(t), w_(t), and z_(t) (t=1, . . . , d) need not be provided, although the security may be degraded.

In the above description, the number of dimensions of each of the basis B_(t) and the basis B*_(t) is set to 2n_(t)+2+u_(t)+w_(t)+z_(t). Alternatively, 2n_(t)+2+u_(t)+w_(t)+z_(t) may be replaced by 2+2+2+6+4+1, and the number of dimensions of each of the basis B_(t) and the basis B*_(t) may be set to 17.

In this case, the GSetup algorithm indicated in Formula 168 is rewritten as Formula 195.

$\begin{matrix} {{{{{{GSetup}\left( 1^{\lambda} \right)}\text{:}\mspace{14mu}{param}_{\mathbb{G}}}:={\left( {q,{\mathbb{G}},{\mathbb{G}}_{T},g,e} \right)\overset{R}{\longleftarrow}{\mathcal{G}_{bpg}\left( 1^{\lambda} \right)}}},\mspace{20mu}{\left. {H_{1}\text{:}\mspace{20mu}\left\{ {0,1} \right\}^{*}}\rightarrow{\mathbb{G}} \right.;\left. {H_{2}\text{:}\mspace{14mu}\left\{ {0,1} \right\}^{*}}\rightarrow{\mathbb{F}}_{q} \right.;}}\mspace{20mu}{{G_{0}:{{H_{1}\left( 0^{\lambda} \right)} \in {\mathbb{G}}}},{G_{1}:={{H_{1}\left( 1^{\lambda} \right)} \in {\mathbb{G}}}},\mspace{20mu}{G_{2}:={{H_{1}\left( {1,0^{\lambda - 1}} \right)} \in {\mathbb{G}}}},\mspace{20mu}{G_{3}:={{H_{1}\left( {0,1,0^{\lambda - 2}} \right)} \in {\mathbb{G}}}},\mspace{20mu}{G_{4}:={{H_{1}\left( {1,1,0^{\lambda - 2}} \right)} \in {\mathbb{G}}}},\mspace{20mu}{g_{T}:={e\left( {G_{0},G_{1}} \right)}},{g_{4}:={e\left( {G_{0},G_{4}} \right)}},{{{return}\mspace{14mu}{gparam}}:={\left( {{param}_{\mathbb{G}},H_{1},H_{2},G_{0},G_{1},G_{2},G_{3},G_{4},g_{T},g_{4}} \right).}}}} & \left( {{Formula}\mspace{14mu} 195} \right\rbrack \end{matrix}$

The ASetup algorithm indicated in Formula 174 is rewritten as Formula 196.

$\begin{matrix} {{{{{{ASetup}\left( {{gparam},t} \right)}\text{:}\mspace{14mu}{param}_{{\mathbb{V}}_{t}}}:={\left( {q,{\mathbb{V}}_{t},{\mathbb{G}}_{T},{\mathbb{A}}_{t},e} \right):={\mathcal{G}_{dpvs}\left( {1^{\lambda},17,{param}_{\mathbb{G}}} \right)}}},\mspace{20mu}{{\mathbb{U}}_{l}:=\left( {u_{l,1},\ldots\mspace{14mu},u_{l,17}} \right)},\mspace{20mu}{{{where}\mspace{14mu} u_{l,i}}:=\left( {{\overset{\overset{i - 1}{︷}}{0,\ldots\mspace{14mu},0,}G_{l}},\overset{\overset{17 - i}{︷}}{0,\ldots\mspace{14mu},0}} \right)}}\mspace{14mu}\mspace{20mu}{{{{for}\mspace{14mu} l} = 0},\ldots\mspace{14mu},{4;{i = 1}},\ldots\mspace{14mu},17,{X_{t}\overset{U}{\longleftarrow}{{GL}\left( {17,{\mathbb{F}}_{q}} \right)}},{\left( {{\mathbb{B}}_{i},{\mathbb{B}}_{t}^{*}} \right):=\left( {{X_{t}\left( {\mathbb{U}}_{0} \right)},{\left( X_{t}^{T} \right)^{- 1}\left( {\mathbb{U}}_{1} \right)}} \right)},\mspace{20mu}{{Let}\mspace{14mu}\pi},\pi^{\prime},{\mu \in {\mathbb{F}}_{q}}}\mspace{14mu}\mspace{20mu}{{{s.t.\mspace{14mu} G_{2}} = {\pi\; G_{1}}},{G_{3} = {\pi^{\prime}G_{1}}},{G_{4} = {\mu\; G_{1}}},{{{then}\mspace{14mu}\left( {{\pi\mathbb{B}}_{t}^{*},{\pi^{\prime}{\mathbb{B}}_{t}^{*}},{\mu{\mathbb{B}}}_{t}^{*}} \right)} = \left( {{\left( X_{t}^{T} \right)^{- 1}\left( {\mathbb{U}}_{2} \right)},{\left( X_{t}^{T} \right)^{- 1}\left( {\mathbb{U}}_{3} \right)},{\left( X_{t}^{T} \right)^{- 1}\left( {\mathbb{U}}_{4} \right)}} \right)},\mspace{20mu}{{\hat{\mathbb{B}}}_{t}:=\left( {b_{t,1},\ldots\mspace{14mu},b_{t,6},b_{t,17}} \right)},{{\hat{\mathbb{B}}}_{t}^{*}:=\left( {{\pi\; b_{t,1}^{*}},{\pi\; b_{t,2}^{*}},{\pi^{\prime}b_{t,3}^{*}},{\pi^{\prime}b_{t,4}^{*}},{\mu\; b_{t,5}^{*}},{\mu\; b_{t,6}^{*}},b_{t,13}^{*},\ldots\mspace{14mu},b_{t,16}^{*}} \right)},\mspace{20mu}{{ask}_{t}:=X_{t}},{{apk}_{t}:=\left( {{{param}_{{\mathbb{V}}_{t}}{\hat{\mathbb{B}}}_{t}},{\hat{\mathbb{B}}}_{t}^{*},} \right)},\mspace{20mu}{{return}\mspace{14mu}{\left( {{ask}_{t},{apk}_{t}} \right).}}}} & \left\lbrack {{Formula}\mspace{14mu} 196} \right\rbrack \end{matrix}$

The AttrGen algorithm indicated in Formula 178 is rewritten as Formula 197.

$\begin{matrix} {\mspace{79mu}{{{{{AttrGen}\left( {{gparam},t,{ask}_{t},{gid},{x_{t} \in {\mathbb{F}}_{q}}} \right)}\text{:}}\mspace{20mu}{{{G_{{gid},j}\left( {= {\delta_{j}G_{1}}} \right)}:={{H_{1}\left( {j,{gid}} \right)} \in {\mathbb{G}}}},\mspace{20mu}{{\overset{\rightarrow}{\varphi}}_{t,j}:={\left( {\varphi_{t,j,1},\ldots\mspace{14mu},\varphi_{t,j,4}} \right)\overset{U}{\longleftarrow}\;{\mathbb{F}}_{q}^{4}}},{{{for}\mspace{14mu} j} = 1},2,{k_{t,j}^{*}:={\left( X_{t}^{T} \right)^{- 1}\left( {\left( {G_{{gid},j} + G_{1}} \right),{x_{t}\left( {G_{{gid},j} + G_{1}} \right)},{- G_{{gid},j}},{{- x_{t}}G_{{gid},j}},0^{8},{\varphi_{t,j,1}G_{1}},\ldots\mspace{14mu},{\varphi_{t,j,4}G_{1}},0} \right)}}}}{{i.e.},{k_{t,j}^{*}:={\left( {\overset{\overset{2}{︷}}{{\left( {\delta_{j} + 1} \right)\left( {1,x_{t}} \right)},}\overset{\overset{2}{︷}}{{- {\delta_{j}\left( {1,x_{t}} \right)}},}\overset{\overset{2}{︷}}{0^{2},}\overset{\overset{6}{︷}}{0^{6},}\overset{\overset{4}{︷}}{{\overset{\rightarrow}{\varphi}}_{t,j},}\overset{\overset{1}{︷}}{0}} \right){\mathbb{B}}_{i}^{*}}},\mspace{20mu}{{{for}\mspace{14mu} j} = 1},2,\mspace{20mu}{{return}\mspace{14mu}{\left( {{usk}_{{gid},{({t,x_{t}})}}:=\left( {{gid},\left( {t,x_{t}} \right),\left\{ k_{t,j}^{*} \right\}_{{j = 1},2}} \right)} \right).}}}}} & \left\lbrack {{Formula}\mspace{14mu} 197} \right\rbrack \end{matrix}$

The Sig algorithm indicated in Formula 184 is rewritten as Formula 198.

$\begin{matrix} {{Sig}\left( {{g\;{param}},\left\{ {{apk}_{t},{{usk}_{{gid},{({t,x_{t}})}}:=\left( {{gid},\left( {t,x_{t}} \right),\left\{ k_{t,j}^{*} \right\}_{{j = 1},2}} \right\}},{{\left. \quad{m,{{\mathbb{S}}:=\left( {M,\rho} \right)}} \right)\mspace{14mu}{If}\mspace{14mu}{\mathbb{S}}}:={{\left( {M,\rho} \right)\mspace{14mu}{accepts}\mspace{14mu}\Gamma}:=\left\{ {\left( {t,x_{t}} \right) \in {usk}_{{gid},{({t,x_{t}})}}} \right\}}},\mspace{14mu}{{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}\overset{->}{1}}:={\sum\limits_{i \in I}{\alpha_{i}M_{i}\mspace{14mu}{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M}}},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \middle| {\quad{{\left\lbrack {{\rho(i)} = {{\left( {t,v_{i}} \right) ⩓ {\left( {t,x_{t}} \right) \in \Gamma} ⩓ v_{i}} = x_{t}}} \right\rbrack ⩔ \left. \quad\left\lbrack {{\rho(i)} = {{⫬ \left( {t,v_{i}} \right)} ⩓ {\left( {t,x_{t}} \right) \in \Gamma} ⩓ {v_{i} \neq x_{t}}}} \right\rbrack \right\}},\mspace{14mu}\xi_{1},{\xi_{2}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},\left( \beta_{i} \right),{\left( \beta_{i}^{\prime} \right)\overset{U}{\longleftarrow}\left\{ {\left. \left( {\beta_{1},\ldots\mspace{14mu},\beta_{L}} \right) \middle| {\sum\limits_{i = 1}^{L}{\beta_{i}M_{i}}} \right. = \overset{->}{0}} \right\}},\mspace{14mu}{g_{0}:=g_{4}^{\xi_{2}}},{s_{i}^{*}:={{\gamma_{i} \cdot \left( {{\xi_{1}k_{t,1}^{*}} + {\left( {1 - \xi_{1}} \right)k_{t,2}^{*}}} \right)} + {\sum\limits_{t = 1}^{2}{y_{i,l}\left( {\pi\; b_{t,l}^{*}} \right)}} + {\sum\limits_{l = 3}^{4}{y_{i,l}\left( {\pi^{\prime}b_{t,l}^{*}} \right)}} + {\xi_{2}\left( {\left( {\mu\; b_{t,5}^{*}} \right) + {{H_{2}\left( {m,{\mathbb{S}}} \right)}\left( {\mu\; b_{t,6}^{*}} \right)}} \right)} + r_{i}^{*}}},{{{for}\mspace{14mu} 1} \leq i \leq L},{{where}\mspace{14mu}{r_{i}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{t,13}^{*},\ldots\mspace{14mu},b_{t,16}^{*}} \right\rangle},\mspace{14mu}{{and}\mspace{14mu}{\quad{\gamma_{i},{{\overset{->}{y}}_{i}:={{{{\left( {y_{i,1},\ldots\mspace{14mu},y_{i,4}} \right)\mspace{14mu}{are}\mspace{14mu}{defined}\mspace{14mu}{as}\mspace{11mu}{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = \left( {t,v_{i}} \right)}},{\gamma_{i}:=\alpha_{i}},\mspace{14mu}{{\overset{->}{y}}_{i}:=\left( {{\beta_{i}\left( {1,v_{i}} \right)},{\beta_{i}^{\prime}\left( {1,v_{i}} \right)}} \right)},{{{{{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}},{\gamma_{i}:=\frac{\alpha_{i}}{v_{i} - x_{t}}},\mspace{14mu}{{\overset{->}{y}}_{i}:={\left( {{\frac{\beta_{i}}{v_{i} - y_{i}}\left( {1,y_{i}} \right)},{\frac{\beta_{i}^{\prime}}{v_{i} - y_{i}^{\prime}}\left( {1,y_{i}^{\prime}} \right)}} \right)\left( {y_{i},{{y_{i}^{\prime}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\backslash\left\{ v_{i} \right\}}} \right)}},{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = \left( {t,v_{i}} \right)},{\gamma_{i}:=0},\mspace{14mu}{{\overset{->}{y}}_{i}:=\left( {{\beta_{i}\left( {1,v_{i}} \right)},{\beta_{i}^{\prime}\left( {1,v_{i}} \right)}} \right)},{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}},{\gamma_{i}:=0},{{\overset{->}{y}}_{i}:={\left( {{\frac{\beta_{i}}{v_{i} - y_{i}}\left( {1,y_{i}} \right)},{\frac{\beta_{i}^{\prime}}{v_{i} - y_{i}^{\prime}}\left( {1,y_{i}^{\prime}} \right)}} \right)\left( {y_{i},{{y_{i}^{\prime}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\backslash\left\{ v_{i} \right\}}} \right)}},{{{return}\mspace{14mu}{\overset{->}{s}}^{*}}:={\left( {s_{0}^{*},\ldots\mspace{14mu},s_{L}^{*},g_{0}} \right).}}}}}}} \right.}} \right.} \right.} & \left\lbrack {{Formula}\mspace{14mu} 198} \right\rbrack \end{matrix}$

The Ver algorithm indicated in Formula 194 is rewritten as Formula 199.

$\begin{matrix} {{{{{Ver}\left( {{g\;{param}},{apk}_{t},m,{{\mathbb{S}}:=\left( {M,\rho} \right)},{\overset{->}{s}}^{*}} \right)}{\overset{->}{f}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{r}}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots\mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},{{\overset{->}{f}}^{\prime}\overset{R}{\longleftarrow}{\mathbb{F}}_{q}^{r}},\mspace{14mu}{{s.t.\mspace{14mu} s_{0}} = {\overset{->}{1} \cdot {\overset{->}{f}}^{\prime\; T}}},{{\overset{->}{s}}^{\prime\; T}:={\left( {s_{1}^{\prime},\ldots\mspace{14mu},s_{L}^{\prime}} \right)^{T}:={M \cdot {\overset{->}{f}}^{\prime\; T}}}},{\overset{->}{\sigma}:={\left( {\sigma_{1},\ldots\mspace{14mu},\sigma_{L}} \right)\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{L}}},{\sigma_{0}:={\overset{->}{1} \cdot {\overset{->}{\sigma}}^{T}}},{{{for}\mspace{14mu} 1} \leq i \leq L},\mspace{76mu}{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,v_{i}} \right)},{{return}\mspace{14mu} 0}}\;{{{{if}\mspace{14mu} s_{i}^{*}} \notin {\mathbb{V}}_{t}},{{else}\mspace{14mu}\theta_{i}},\theta_{i}^{\prime},\theta_{i}^{\prime\prime},{\eta_{i}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{c_{i}:={\left( {\overset{\overset{2}{︷}}{{s_{i} + {\theta_{i}v_{i}}},{- \theta_{i}}},\overset{\overset{2}{︷}}{{s_{i}^{\prime} + {\theta_{i}^{\prime}v_{i}}},{- \theta_{i}^{\prime}}},{\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}{H_{2}\left( {m,{\mathbb{S}}} \right)}}},\theta_{i}^{\prime\prime},}\overset{\overset{6}{︷}}{0^{6}}},\overset{\overset{4}{︷}}{0^{4}},\overset{\overset{1}{︷}}{\eta_{i}}} \right){\mathbb{B}}_{t}}},\mspace{76mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}},{{return}\mspace{14mu} 0}}\;{{{{if}\mspace{14mu} s_{i}^{*}} \notin {\mathbb{V}}_{t}},{{else}\mspace{14mu}{\theta_{i}^{\prime\prime}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}},{\eta_{i}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{\quad{{c_{i}:={\left( {{\overset{\overset{2}{︷}}{{s_{i}\left( {v_{i},{- 1}} \right)},}\overset{\overset{2}{︷}}{{s_{i}^{\prime}\left( {v_{i},{- 1}} \right)},}\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}H_{2}\left( {m,{\mathbb{S}}} \right)}},\theta_{i}^{\prime\prime},}\overset{\overset{6}{︷}}{0^{6}}},\overset{\overset{4}{︷}}{0^{4}},\overset{\overset{1}{︷}}{\eta_{i}}} \right){\mathbb{B}}_{t}}},{{{return}\mspace{14mu} 1\;\mspace{76mu}{if}\mspace{14mu}{\prod\limits_{i = 1}^{L}{e\left( {c_{i},s_{i}^{*}} \right)}}} = {g_{T}^{s_{0}}g_{0}^{\sigma_{0}}}},{{return}\mspace{14mu} 0\mspace{14mu}{{otherwise}.}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 199} \right\rbrack \end{matrix}$

The GSetup algorithm may be executed only once by one generation device 100 at the setup of the signature processing system 10, and need not be executed every time a signing key is to be generated. Likewise, the ASetup algorithm may be executed only once by each key generation device 100 at the setup of the signature processing system 10, and need not be executed every time a signing key is to be generated.

In the above explanation, the GSetup algorithm, the ASetup algorithm, and the KeyGen algorithm are executed by the key generation device 100. Alternatively, the GSetup algorithm, the ASetup algorithm, and the KeyGen algorithm may be executed by different devices.

Embodiment 3

In the above embodiments, the method of implementing the signature process in the dual vector spaces has been described. In Embodiment 3, a method of implementing a signature process in dual additive groups will be described.

More specifically, in the above embodiments, the signature process is implemented in the cyclic group of the prime order q. When a ring R is expressed as indicated in Formula 200 using a composite number M, the signature process described in the above embodiments can also be applied to a module having the ring R as a coefficient.

:=

/

[Formula 200] where

: an integer; and M: a composite number

When the attribute-based signature scheme described in Embodiment 1 is implemented in the additive group having the ring R as a coefficient, then Formulas 201 to 205 are resulted.

                                    [Formula  201] ${Setup}\left( {1^{\lambda},{\overset{\rightarrow}{n}:={\left( {{d;n_{t}},u_{t},w_{t},z_{t}} \right)\left( {{t = 0},\ldots\mspace{14mu},{d + 1}} \right)}}} \right)$ $\mspace{79mu}{{{hk}\overset{R}{\longleftarrow}{KH}_{\lambda}},{n_{0}:=1},{n_{d + 1}:=2},\mspace{79mu}{{hk}\overset{R}{\longleftarrow}{KH}_{\lambda}},{n_{0}:=1},{n_{d + 1}:=2},\mspace{79mu}{\left( {{param}_{\underset{n}{\rightarrow}},\left\{ {{\mathbb{B}}_{t},{\mathbb{B}}_{t}^{*}} \right\}_{{t = 0},\ldots,{d + 1}}} \right)\overset{R}{\longleftarrow}{\mathcal{G}_{ob}\left( {1^{\lambda},\overset{\rightarrow}{n}} \right)}},{{\hat{\;{\mathbb{B}}}}_{t}:=\left( {b_{t,1},\ldots\mspace{14mu},b_{t,n_{t}},b_{t,{n_{t} + u_{t} + w_{t} + 1}},\ldots\mspace{14mu},b_{t,{n_{t} + u_{t} + w_{t} + z_{t}}}} \right)}}$ $\mspace{79mu}{{{{for}\mspace{14mu} t} = 0},\ldots\mspace{14mu},{d + 1},\mspace{79mu}{{\hat{\mathbb{B}}}_{t}^{*}:=\left( {b_{t,1}^{*},\ldots\mspace{14mu},b_{t,n_{t}}^{*},b_{t,{n_{t} + u_{t} + 1}}^{*},\ldots\mspace{14mu},b_{t,{n_{t} + u_{t} + w_{t}}}^{*}} \right)}}$ $\mspace{76mu}{{{{for}\mspace{14mu} t} = 1},\ldots\mspace{14mu},{d + 1},{{sk}:=b_{0,1}^{*}},{{p\; k}:={{\left( {1^{\lambda},{hk},{param}_{\overset{\rightarrow}{n}},\left\{ {\hat{\mathbb{B}}}_{t} \right\}_{{t = 0},\ldots,{d + 1}},\left\{ {\hat{\mathbb{B}}}_{t}^{*} \right\}_{{t = 1},\ldots,{d + 1}},b_{0,{1 + u_{0} + 1}}^{*},\ldots,b_{0,{1 + u_{0} + w_{0}}}^{*}} \right).\mspace{76mu}{return}}\mspace{14mu}{sk}}},{{pk}.\mspace{616mu}\left\lbrack {{Formula}\mspace{14mu} 202} \right\rbrack}}$ $\mspace{79mu}{{{{\mathcal{G}_{ob}\left( {1^{\lambda},{\overset{\rightharpoonup}{n}:={\left( {{d;n_{t}},u_{t},w_{t},z_{t}} \right)\left( {{t = 0},\ldots\mspace{14mu},{d + 1}} \right)}}} \right)}:\mspace{79mu}{param}_{\mathbb{G}}}:={{\left( {q,{\mathbb{G}},{\mathbb{G}}_{T},g,e} \right)\overset{R}{\longleftarrow}\mathcal{G}_{bpg}}\left( 1^{\lambda} \right)}},\mspace{79mu}{\psi\overset{\bigcup}{\longleftarrow}{\mathbb{R}}^{\times}},\mspace{79mu}{N_{t}:={{n_{t} + u_{t} + w_{t} + {z_{t}\mspace{14mu}{for}\mspace{14mu} t}} = 0}},\ldots\mspace{14mu},{d + 1},\mspace{79mu}{{{For}\mspace{14mu} t} = 0},\ldots\mspace{14mu},{d + 1},\mspace{79mu}{{param}_{{\mathbb{V}}_{t}}:={\left( {q,{\mathbb{V}}_{t},{\mathbb{G}}_{T},{\mathbb{A}}_{t},e} \right):={\mathcal{G}_{dpvs}\left( {1^{\lambda},N_{t},{param}_{\mathbb{G}}} \right)}}},\mspace{79mu}{X_{t}:={\left( \chi_{t,i,j} \right)_{i,j}\overset{U}{\longleftarrow}{{GL}\left( {N_{t}{\mathbb{R}}} \right)}}},{\left( v_{t,i,j} \right)_{i,j}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}},\mspace{79mu}{b_{t,i}:={\left( {{\chi_{{t,i,1,}\mspace{14mu}}\ldots}\mspace{14mu},\chi_{t,i,N_{t}}} \right)_{{\mathbb{A}}_{t}} = {\sum\limits_{j = 1}^{N_{t}}{\chi_{t,i,j}a_{t,j}}}}},{{\mathbb{B}}_{t}:=\left( {b_{t,1},\ldots\mspace{14mu},b_{t,N_{t}}} \right)},{b_{t,i}^{*}:={{\left( {{v_{{t,i,1,}\mspace{14mu}}\ldots}\mspace{14mu},v_{t,i,N_{t}}} \right){\mathbb{A}}_{t}} = {\sum\limits_{j = 1}^{N_{t}}{v_{t,i,j}a_{t,j}}}}},\mspace{79mu}{{\mathbb{B}}_{t}^{*}:=\left( {b_{t,1}^{*},\ldots\mspace{14mu},b_{t,N_{t}}^{*}} \right)},\mspace{79mu}{g_{T}:={e\left( {g,g} \right)}^{\psi}},{{param}_{\overset{-}{n}}:=\left( {\left\{ {param}_{{\mathbb{V}}_{t}} \right\}_{{t = 0},\ldots,{d + 1},}g_{T}} \right)}}$ $\mspace{79mu}{{{return}\left( {{param}_{\overset{-}{n}},\left\{ {{\mathbb{B}}_{t},{\mathbb{B}}_{t}^{*}} \right\}_{{t = 0},\ldots,{d + 1}}} \right)}.\mspace{616mu}\left\lbrack {{Formula}\mspace{14mu} 203} \right\rbrack}$ ${KeyGen}\left( {{pk},{sk},{\Gamma:=\left\{ \left( {t,{{\overset{\rightarrow}{x}}_{t}:={\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right) \in {\mathbb{R}}^{n_{t}}}}} \right) \middle| {1 \leq t \leq d} \right\}}} \right)$ $\mspace{79mu}{{\delta\overset{\bigcup}{\longleftarrow}{\mathbb{R}}^{x}},\mspace{79mu}{{\overset{\rightarrow}{\varphi}}_{0}\overset{\bigcup}{\longleftarrow}{\mathbb{R}}^{w_{0}}},\mspace{79mu}{{{{\overset{\rightarrow}{\varphi}}_{t}\overset{\bigcup}{\longleftarrow}{\mathbb{R}}^{w_{t}}}\mspace{11mu}{for}\mspace{14mu} t} = 1},\ldots\mspace{14mu},d,\mspace{79mu}{\overset{\rightarrow}{\varphi}}_{{d + 1},1},{{\overset{\rightarrow}{\varphi}}_{{d + 1},2}\overset{\bigcup}{\longleftarrow}{\mathbb{R}}^{w_{d + 1},}}}$ $\mspace{79mu}{{k_{0}^{*}:={\left( {\delta,\overset{\overset{u_{0}}{︷}}{0^{u_{0}}},\overset{\overset{w_{0}}{︷}}{\varphi_{0,1},\ldots\mspace{14mu},\varphi_{0,w_{0}}},\overset{\overset{z_{0}}{︷}}{0^{z_{0}}}} \right){\mathbb{B}}_{0}^{*}}},\mspace{79mu}{k_{t}^{*}:={\left( {\overset{\overset{n_{t}}{︷}}{{\delta\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)},}\overset{\overset{u_{t}}{︷}}{0^{u_{t}},}\overset{\overset{w_{t}}{︷}}{\varphi_{t,1},\ldots\mspace{14mu},\varphi_{t,w_{t}},}\overset{\overset{z_{t}}{︷}}{0^{z_{t}}}} \right){\mathbb{B}}_{t}^{*}}}}$ $\mspace{79mu}{{{{for}\mspace{14mu}\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma},\mspace{79mu}{k_{{d + 1},1}^{*}:={\left( {\overset{2}{\overset{︷}{{\delta\left( {1,0} \right)},}}\overset{u_{d + 1}}{\overset{︷}{0^{u_{d + 1}},}}\overset{\overset{w_{d + 1}}{︷}}{\varphi_{{d + 1},1,1},\ldots\mspace{14mu},\varphi_{{d + 1},1,w_{d + 1}},}\overset{\overset{z_{d + 1}}{︷}}{0^{z_{d + 1}}}} \right){\mathbb{B}}_{d + 1}^{*}}},\mspace{79mu}{k_{{d + 1},2}^{*}:={\left( {\overset{\overset{2}{︷}}{{\delta\left( {0,1} \right)},}\overset{\overset{u_{d + 1}}{︷}}{0^{u_{d + 1}},}\overset{\overset{w_{d + 1}}{︷}}{\varphi_{{d + 1},2,1},\ldots\mspace{14mu},\varphi_{{d + 1},2,w_{d + 1}},}\overset{\overset{z_{d + 1}}{︷}}{0^{z_{d + 1}}}} \right){\mathbb{B}}_{d + 1}^{*}}},\mspace{79mu}{T:={\left\{ {0,\left( {{d + 1},1} \right),\left( {{d + 1},2} \right)} \right\}\bigcup\left\{ {\left. t \middle| {1 \leq t \leq d} \right.,{\left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \in \Gamma}} \right\}}},\mspace{79mu}{{{return}\mspace{14mu}{sk}_{\Gamma}}:={\left( {\Gamma,\left\{ k_{t}^{*} \right\}_{t \in T}} \right).\mspace{599mu}\left\lbrack {{Formula}\mspace{14mu} 204} \right\rbrack}}}$      Sig(pk, sk_(Γ), m, 𝕊 := (M, ρ)) $\mspace{79mu}{{{{If}\mspace{14mu}{\mathbb{S}}}:={{\left( {M,\rho} \right)\mspace{14mu}{accepts}{\mspace{14mu}\;}\Gamma}:=\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}}},\mspace{79mu}{{then}\mspace{14mu}{com}\;{pute}\mspace{14mu} I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}}}$ $\mspace{79mu}{{{\sum\limits_{i \in I}^{\;}{\alpha_{i}M_{i}}}:={{\overset{\rightarrow}{1}\mspace{14mu}{and}\text{}I} \subseteq \left\{ {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho(i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \;{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho(i)} = {⫬ {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \;{{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}}},\mspace{79mu}{\xi\overset{\bigcup}{\longleftarrow}{\mathbb{R}}^{\times}},{\left( \beta_{i} \right)\overset{\bigcup}{\longleftarrow}\left\{ {\left. \left( {\beta_{1},\ldots\mspace{14mu},\beta_{L}} \right) \middle| {\sum\limits_{i = 1}^{L}{\beta_{i}M_{i}}} \right. = \overset{\rightarrow}{0}} \right\}},\mspace{79mu}{s_{0}^{*}:={{\xi\; k_{0}^{*}} + r_{0}^{*}}},{{where}\mspace{14mu}{r_{0}^{*}\overset{\bigcup}{\longleftarrow}{span}}\left\langle {b_{0,{1 + u_{0} + 1}}^{*},\ldots\mspace{14mu},b_{0,{1 + u_{0} + w_{0}}}^{*}} \right\rangle}}$ $\mspace{79mu}{{s_{i}^{*}:={{{\gamma_{i} \cdot \xi}\; k_{t}^{*}} + {\sum\limits_{t = 1}^{n_{t}}{y_{i,l} \cdot b_{t,l}^{*}}} + r_{i}^{*}}},{{{for}\mspace{14mu} 1} \leq i \leq L},\mspace{79mu}{{where}\mspace{14mu}{r_{i}^{*}\overset{\bigcup}{\longleftarrow}{span}}\left\langle {b_{t,{n_{t} + u_{t} + 1}}^{*},\ldots\mspace{14mu},b_{t,{n_{t} + u_{t} + w_{t}}}^{*}} \right\rangle},\mspace{79mu}{{and}\mspace{14mu}\gamma_{i}},{{\overset{\rightarrow}{y}}_{i}:={\left( {y_{i,1},\ldots\mspace{14mu},y_{i,n_{t}}} \right)\mspace{14mu}{are}\mspace{14mu}{defined}\mspace{14mu}{as}}}}$ $\mspace{79mu}{{{{{if}\mspace{14mu} i} \in {I\bigwedge{\rho(i)}}} = \left( {t,v_{i}} \right)},\mspace{79mu}{\gamma_{i}:=\alpha_{i}},{{\overset{\rightharpoonup}{y}}_{i}\overset{\bigcup}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},\mspace{79mu}{{{{if}\mspace{14mu} i} \in {I\bigwedge{\rho(i)}}} = {⫬ \left( {t,v_{i}} \right)}},{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}}},\mspace{79mu}{y_{i}\overset{\bigcup}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {\overset{\rightarrow}{y_{i}} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = \beta_{i}} \right\}},\mspace{79mu}{{{{if}\mspace{14mu} i} \notin {I\bigwedge{\rho(i)}}} = \left( {t,v_{i}} \right)},{\gamma_{i}:=0},\mspace{79mu}{{\overset{\rightarrow}{y}}_{i}\overset{\bigcup}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},\mspace{79mu}{{{{if}\mspace{14mu} i} \notin {I\bigwedge{\rho(i)}}} = {⫬ \left( {t,v_{i}} \right)}},{\gamma_{i}:=0},\mspace{79mu}{\overset{\rightarrow}{y_{i}}\overset{\bigcup}{\longleftarrow}\left\{ {\left. {\overset{\rightarrow}{y}}_{i} \middle| {{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}} \right. = \beta_{i}} \right\}},\mspace{79mu}{s_{L + 1}^{*}:={\xi\left( {{k_{{d + 1},1}^{*} + {H_{hk}^{\lambda,D}\left( {m{\left. {\mathbb{S}} \right) \cdot k_{{d + 1},2}^{*}}} \right)} + r_{L + 1}^{*}},\mspace{79mu}{{where}\mspace{14mu}{r_{L + 1}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{{d + 1},{2 + u_{d + 1} + 1}}^{*},\ldots\mspace{14mu},b_{{d + 1},{2 + u_{d + 1} + w_{d + 1}}}^{*}} \right\rangle},\mspace{79mu}{{{return}\mspace{14mu}{\overset{\rightarrow}{s}}^{*}}:={{\left( {s_{0}^{*},\ldots\mspace{14mu},s_{L + 1}^{*}} \right).\mspace{560mu}\left\lbrack {{Formula}\mspace{14mu} 205} \right\rbrack}\mspace{85mu}{{Ver}\left( {{pk},m,{{\mathbb{S}}:=\left( {M,\rho} \right)},{\overset{\rightarrow}{s}}^{*}} \right)}\mspace{79mu}{\overset{\rightarrow}{f}\overset{U}{\longleftarrow}{\mathbb{R}}^{r}}}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots\mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\mspace{79mu}{{\overset{\rightarrow}{\eta}}_{0}\overset{\bigcup}{\longleftarrow}{\mathbb{R}}^{z_{0}}},{\eta_{L + 1}\overset{\bigcup}{\longleftarrow}{\mathbb{R}}^{z_{d + 1}}},\theta_{L + 1},{s_{L + 1}\overset{\bigcup}{\longleftarrow}{\mathbb{R}}},\mspace{79mu}{c_{0}:={\left( {{{- s_{0}} - s_{L + 1}},\overset{\overset{u_{0}}{︷}}{0^{u_{0}}},\overset{w_{0}}{\overset{︷}{0^{w_{0}}}},\overset{\overset{z_{0}}{︷}}{\eta_{0,1},\ldots\mspace{14mu},\eta_{0,z_{0}}}} \right){\mathbb{B}}_{0}}},\mspace{79mu}{{{for}\mspace{14mu} 1} \leq i \leq L},\mspace{79mu}{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right) \in {\mathbb{R}}^{n_{t}}}}} \right)},\mspace{79mu}{{{if}\mspace{14mu} s_{i}^{*}} \notin {{\mathbb{V}}_{t}\mspace{14mu}{return}\mspace{14mu} 0}},\mspace{79mu}{{else}\mspace{14mu}{\theta_{i}\overset{\bigcup}{\longleftarrow}{\mathbb{R}}}},{{\overset{\rightarrow}{\eta}}_{i}\overset{\bigcup}{\longleftarrow}{\mathbb{R}}^{z_{t}}},\mspace{79mu}{c_{i}:={\left( {\overset{\overset{n_{t}}{︷}}{{s_{i} + {\theta_{i}v_{i,1}}},{\theta_{i}v_{i,2}},\ldots\mspace{14mu},{\theta_{i}v_{i,n_{t}}}},\overset{\overset{u_{t}}{︷}}{0^{u_{t}}},\overset{\overset{w_{t}}{︷}}{0^{w_{t}}},\overset{\overset{z_{t}}{︷}}{\eta_{i,1},\ldots\mspace{14mu},\eta_{i,z_{t}}}} \right){\mathbb{B}}_{t}}},\mspace{79mu}{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right) \in {\mathbb{R}}^{n_{t}}}}} \right)}},\mspace{79mu}{{{if}\mspace{14mu} s_{i}^{*}} \notin {{\mathbb{V}}_{t}\mspace{14mu}{return}\mspace{14mu} 0}},\mspace{79mu}{{else}\mspace{14mu}{{\overset{\rightarrow}{\eta}}_{i}\overset{\bigcup}{\longleftarrow}{\mathbb{R}}^{z_{t}}}},\mspace{79mu}{c_{i}:={{\left( {\overset{\overset{n_{t}}{︷}}{s_{i}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},\overset{\overset{u_{t}}{︷}}{0^{u_{t}}},\overset{\overset{w_{t}}{︷}}{0^{w_{t}}},\overset{\overset{z_{t}}{︷}}{\eta_{i,1},\ldots\mspace{14mu},\eta_{i,z_{t}}}} \right){\mathbb{B}}_{t}c_{L + 1}}:={\quad{{{\left( {\overset{\overset{2}{︷}}{s_{L + 1} - {\theta_{L + 1}{H_{hk}^{\lambda,D}\left( {{m\left. {\mathbb{S}} \right)},\theta_{L + 1},} \right.}}}\overset{\overset{u_{d + 1}}{︷}}{0^{u_{d + 1}},}\overset{\overset{w_{d + 1}}{︷}}{0^{w_{d + 1}},}\overset{\overset{z_{d + 1}}{︷}}{\eta_{{L + 1},1},\ldots\mspace{14mu},\eta_{{L + 1},z_{d + 1}}}} \right){\mathbb{B}}_{d + 1}\mspace{79mu}{return}\mspace{14mu} 0\mspace{14mu}{if}\mspace{14mu}{e\left( {b_{0,1},s_{0}^{*}} \right)}} = 1},\mspace{79mu}{{{return}\mspace{14mu} 1\mspace{14mu}{if}\mspace{14mu}{\prod\limits_{i = 0}^{L + 1}\;{e\left( {c_{i},s_{i}^{*}} \right)}}} = 1},{{return}\mspace{14mu} 0\mspace{14mu}{{otherwise}.}}}}}}} \right.}}}$

When the decentralized multi-authority attribute-based signature scheme described in Embodiment 2 is implemented in the additive group having the ring R as a coefficient, then Formulas 206 to 210 are resulted.

$\begin{matrix} {{{{{{GSetup}\left( 1^{\lambda} \right)}\text{:}\mspace{14mu}{param}_{\mathbb{G}}}:={\left( {q,{\mathbb{G}},{\mathbb{G}}_{T},g,e} \right)\overset{R}{\longleftarrow}{\mathcal{G}_{bpg}\left( 1^{\lambda} \right)}}},\mspace{79mu}{{H_{1}:={\left\{ {0,1} \right\}^{*}->{\mathbb{G}}}};}}\mspace{79mu}{{H_{2}:={\left\{ {0,1} \right\}^{*}->{\mathbb{R}}}};}\mspace{79mu}{{G_{0}:={{H_{1}\left( 0^{\lambda} \right)} \in {\mathbb{G}}}},\mspace{79mu}{G_{1}:={{H_{1}\left( 1^{\lambda} \right)} \in {\mathbb{G}}}},}} & \left\lbrack {{Formula}\mspace{14mu} 206} \right\rbrack \\ {\mspace{79mu}{{G_{2}:={{H_{1}\left( {1,0^{\lambda - 1}} \right)} \in {\mathbb{G}}}},\mspace{79mu}{G_{3}:={{H_{1}\left( {0,1,0^{\lambda - 2}} \right)} \in {\mathbb{G}}}},\mspace{79mu}{G_{4}:={{H_{1}\left( {1,1,0^{\lambda - 2}} \right)} \in {\mathbb{G}}}},\mspace{79mu}{g_{T}:={{\mathbb{e}}\left( {G_{0},G_{1}} \right)}},\mspace{79mu}{g_{4}:={{\mathbb{e}}\left( {G_{0},G_{4}} \right)}},}} & \; \\ {{{return}\mspace{14mu}{gparam}}:={\left( {{param}_{\mathbb{G}},H_{1},H_{2},G_{0},G_{1},G_{2},G_{3},G_{4},g_{T},g_{4}} \right).}} & \; \\ {{{{{ASetup}\left( {{gparam},t} \right)}\text{:}\mspace{14mu} N_{t}}:={{2n_{t}} + 2 + u_{t} + w_{t} + z_{t}}},{{param}_{{\mathbb{V}}_{t}}:={\left( {q,{\mathbb{V}}_{t},{\mathbb{G}}_{T},{\mathbb{A}}_{t},{\mathbb{e}}} \right):={\mathcal{G}_{dpvs}\left( {1^{\lambda},N_{t},{param}_{\mathbb{G}}} \right)}}},{{\mathbb{U}}_{l}:=\left( {u_{l,1},\ldots\mspace{14mu},u_{l,N_{t}}} \right)},\mspace{14mu}{{{where}\mspace{14mu} u_{l,i}}:={{\left( {{\overset{\overset{i - 1}{︷}}{0,\ldots\mspace{14mu},0,}G_{l}},\overset{\overset{N_{t} - i}{︷}}{0,\ldots\mspace{14mu},0}} \right)\mspace{14mu}{for}\mspace{14mu} l} = {\quad{0,\ldots\mspace{14mu},{4;\mspace{14mu}{i = 1}},\ldots\mspace{14mu},N_{t},}}}}} & \left\lbrack {{Formula}\mspace{14mu} 207} \right\rbrack \\ {{X_{t}\overset{U}{\longleftarrow}{{GL}\left( {N_{t},{\mathbb{R}}} \right)}},\mspace{76mu}{\left( {{\mathbb{B}}_{t},{\mathbb{B}}_{t}^{*}} \right):=\left( {{X_{t}\left( {\mathbb{U}}_{0} \right)},{\left( X_{t}^{T} \right)^{- 1}\left( {\mathbb{U}}_{1} \right)}} \right)},\mspace{79mu}{{Let}\mspace{14mu}\pi},\pi^{\prime},{{\mu \in {{\mathbb{R}}\mspace{14mu}{s.t.\;\text{}\mspace{79mu} G_{2}}}} = {\pi\; G_{1}}},\mspace{79mu}{G_{3} = {\pi^{\prime}G_{1}}},\mspace{79mu}{G_{4} = {\mu\; G_{1}}},{then}} & \; \\ {{\left( {{\pi\mathbb{B}}_{t}^{*},{\pi^{\prime}{\mathbb{B}}_{t}^{*}},{\mu\;{\mathbb{B}}_{t}^{*}}} \right) = \left( {{\left( X_{t}^{T} \right)^{- 1}\left( {\mathbb{U}}_{2} \right)},{\left( X_{t}^{T} \right)^{- 1}\left( {\mathbb{U}}_{3} \right)},{\left( X_{t}^{T} \right)^{- 1}\left( {\mathbb{U}}_{4} \right)}} \right)},{{\hat{\mathbb{B}}}_{t}:=\left( {b_{t,1},\ldots\mspace{14mu},b_{t,{{2\; n_{t}} + 2}},b_{t,{{2\; n_{t}} + 2 + u_{t} + w_{t} + 1}},\ldots\mspace{14mu},b_{t,{{2\; n_{t}} + 2 + u_{t} + w_{t} + z_{t}}}} \right)},{{\hat{\mathbb{B}}}_{t}^{*}:=\left( {{\pi\left( {b_{t,1}^{*},\ldots\mspace{14mu},b_{t,n_{t}}^{*}} \right)},{\pi^{\prime}\left( {b_{t,{n_{t} + 1}}^{*},\ldots\mspace{14mu},b_{t,{2\; n_{t}}}^{*}} \right)},{\mu\left( {b_{t,{{2\; n_{t}} + 1}}^{*},b_{t,{{2\; n_{t}} + 2}}^{*}} \right)},b_{t,{{2\; n_{t}} + 2 + u_{t} + 1}},\ldots\mspace{14mu},b_{t,{{2\; n_{t}} + 2 + u_{t} + w_{t}}}} \right)},} & \; \\ {{{ask}_{t}:=X_{t}},{{apk}_{t}:=\left( {{param}_{{\mathbb{V}}_{t}},{\hat{\mathbb{B}}}_{t},{\hat{\mathbb{B}}}_{t}^{*}} \right)},{{{return}\left( {{ask}_{t},{apk}_{t}} \right)}.}} & \; \\ {{{{{AttrGen}\left( {{gparam},t,{ask}_{t},{gid},{{\overset{->}{x}}_{t}:={\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right) \in {\mathbb{R}}}}} \right)}\text{:}\mspace{20mu}{G_{{gid},j}\left( {= {\delta_{j}G_{1}}} \right)}}:={{H_{1}\left( {j,{gid}} \right)} \in {\mathbb{G}}}},{\varphi_{t,j}\overset{U}{\longleftarrow}{\mathbb{R}}^{w_{t}}},{{{for}\mspace{14mu} j} = 1},2,\mspace{14mu}{k_{t,j}^{*}:={k_{t,j}^{*}:={\left( X_{t}^{T} \right)^{- 1}\left( {{\left( {G_{{gid},j} + G_{1}} \right){\overset{->}{x}}_{t}},{{- {\overset{->}{x}}_{t}}G_{{gid},j}},0^{2 + u_{t}},{\varphi_{t,j,1}G_{1}},\ldots\mspace{14mu},{\varphi_{t,j,w_{t}}G_{1}},0^{z_{t}}} \right)}}}} & \left\lbrack {{Formula}\mspace{14mu} 208} \right\rbrack \\ {{i.e.},{k_{t,j}^{*}:={\left( {\overset{\overset{n_{t}}{︷}}{\left( {\delta_{j} + 1} \right)\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)},\overset{\overset{n_{t}}{︷}}{- {\delta_{j}\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)}},\overset{\overset{2}{︷}}{0^{2}},\overset{\overset{u_{t}}{︷}}{0^{u_{t}}},\overset{\overset{w_{t}}{︷}}{\varphi_{t,j,1},\ldots\mspace{14mu},\varphi_{t,j,w_{t}}},\overset{\overset{z_{t}}{︷}}{0^{z_{t}}}} \right){\mathbb{B}}_{t}^{*}}},{{{for}\mspace{14mu} j} = {\quad{1,2,{{return}\mspace{14mu}{\left( {{usk}_{{gid},{({t,x_{t}})}}:=\left( {{gid},\left( {t,{\overset{->}{x}}_{t}} \right),\left\{ k_{t,j}^{*} \right\}_{{j = 1},2}} \right)} \right).}}}}}} & \; \\ {{Sig}\left( {{g\;{param}},\left\{ {{apk}_{t},{{usk}_{{gid},{({t,x_{t}})}}:=\left( {{gid},\left( {t,{\overset{->}{x}}_{t}} \right),\left\{ k_{t,j}^{*} \right\}_{{j = 1},2}} \right\}},m,{{\mathbb{S}}:=\left( {M,\rho} \right)}} \right.} \right)} & \left\lbrack {{Formula}\mspace{14mu} 209} \right\rbrack \\ {{{{If}\mspace{14mu}{\mathbb{S}}}:={{\left( {M,\rho} \right)\mspace{14mu}{accepts}\mspace{14mu}\Gamma}:=\left\{ {\left( {t,{\overset{->}{x}}_{t}} \right) \in {usk}_{{gid},{({t,x_{t}})}}} \right\}}},\mspace{14mu}{{{then}\mspace{14mu}{compute}\mspace{14mu} I\mspace{14mu}{and}\mspace{14mu}\left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu}{such}\mspace{14mu}{that}\mspace{14mu}\overset{->}{1}}:={\sum\limits_{i \in I}{\alpha_{i}M_{i}\mspace{14mu}{where}\mspace{14mu} M_{i}\mspace{14mu}{is}\mspace{14mu}{the}\mspace{14mu} i\text{-}{th}\mspace{14mu}{row}\mspace{14mu}{of}\mspace{14mu} M}}},\mspace{14mu}{{{and}\mspace{14mu} I} \subseteq \left\{ \left. {i \in \left\{ {1,\ldots\mspace{14mu},L} \right\}} \right| \right.}} & \; \\ {\quad{\left\lbrack {{\rho(i)} = {{\left( {t,{\overset{->}{v}}_{i}} \right) ⩓ {\left( {t,{\overset{->}{x}}_{t}} \right) \in \Gamma} ⩓ {{\overset{->}{v}}_{i} \cdot {\overset{->}{x}}_{t}}} = 0}} \right\rbrack ⩔ {\quad{\left. \quad\left\lbrack {{\rho(i)} = {{⫬ \left( {t,{\overset{->}{v}}_{i}} \right)} ⩓ {\left( {t,{\overset{->}{x}}_{t}} \right) \in \Gamma} ⩓ {{{\overset{->}{v}}_{i} \cdot {\overset{->}{x}}_{t}} \neq 0}}} \right\rbrack \right\},\xi_{1},{\xi_{2}\overset{U}{\longleftarrow}{\mathbb{R}}},\left( \beta_{i} \right),{\left( \beta_{i}^{\prime} \right)\overset{U}{\longleftarrow}\left\{ {\left. \left( {\beta_{1},\ldots\mspace{14mu},\beta_{L}} \right) \middle| {\sum\limits_{i = 1}^{L}{\beta_{i}M_{i}}} \right. = \overset{->}{0}} \right\}},}}}} & \; \\ {\mspace{70mu}{{g_{0}:=g_{4}^{\xi_{2}}},\mspace{14mu}{s_{i}^{*}:={{\gamma_{i} \cdot \left( {{\xi_{1}k_{t,1}^{*}} + {\left( {1 - \xi_{1}} \right)k_{t,2}^{*}}} \right)} + {\sum\limits_{t = 1}^{n_{t}}{y_{i,l}\left( {\pi\; b_{t,l}^{*}} \right)}} + {\sum\limits_{t = 1}^{n_{t}}{y_{i,l}^{\prime}\left( {\pi^{\prime}b_{t,{n_{t} + l}}^{*}} \right)}} + {\xi_{2}\left( {\left( {\mu\; b_{t,{{2n_{t}} + 1}}^{*}} \right) + {{H_{2}\left( {m,{\mathbb{S}}} \right)}\left( {\mu\; b_{t,{{2n_{t}} + 2}}^{*}} \right)}} \right)} + r_{i}^{*}}},}} & \; \\ {{{{for}\mspace{14mu} 1} \leq i \leq L},{{where}\mspace{14mu}{r_{i}^{*}\overset{U}{\longleftarrow}{span}}\left\langle {b_{t,{{2n_{t}} + 2 + u_{t} + 1}}^{*},\ldots\mspace{14mu},b_{t,{{2n_{t}} + 2 + u_{t} + w_{t}}}^{*}} \right\rangle},{{and}\mspace{14mu}\gamma_{i}},{{\overset{->}{y}}_{i}:=\left( {y_{i,1},\ldots\mspace{14mu},y_{i,n_{t}}} \right)},{{\overset{->}{y}}_{i}^{\prime}:={\left( {y_{i,1}^{\prime},\ldots\mspace{14mu},y_{i,n_{t}}^{\prime}} \right)\mspace{14mu}{are}\mspace{14mu}{defined}\mspace{14mu}{as}}}} & \; \\ {{{{{{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = \left( {t,{\overset{->}{v}}_{i}} \right)},{\gamma_{i}:=\alpha_{i}},{{\overset{->}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ y_{i,1}} = \beta_{i}}} \right\}},{{\overset{->}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i}^{\prime} \middle| \mspace{14mu}{{\overset{->}{y}}_{i}^{\prime} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ y_{i,1}^{\prime}} = \beta_{i}^{\prime}}} \right\}},{{{{{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = {⫬ \left( {t,{\overset{->}{v}}_{i}} \right)}},{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{->}{v}}_{i} - {\overset{->}{x}}_{t}}},\mspace{14mu}{{\overset{->}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},{{\overset{->}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i}^{\prime} \middle| \mspace{14mu}{{\overset{->}{y}}_{i}^{\prime} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}^{\prime}} \right\}},} & \; \\ {{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = \left( {t,{\overset{->}{v}}_{i}} \right)},{\gamma_{i}:=0},\mspace{14mu}{{\overset{->}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ y_{i,1}} = \beta_{i}}} \right\}},{{\overset{->}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i}^{\prime} \middle| \mspace{14mu}{{\overset{->}{y}}_{i}^{\prime} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ y_{i,1}^{\prime}} = \beta_{i}^{\prime}}} \right\}},{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = {⫬ \left( {t,{\overset{->}{v}}_{i}} \right)}},{\gamma_{i}:=0},{{\overset{->}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},{{\overset{->}{y}}_{i}^{\prime}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i}^{\prime} \middle| \mspace{14mu}{{\overset{->}{y}}_{i}^{\prime} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}^{\prime}} \right\}},\mspace{14mu}{{{return}\mspace{14mu}{\overset{->}{s}}^{*}}:={\left( {s_{0}^{*},\ldots\mspace{14mu},s,g_{0}} \right).}}} & \; \\ {{{{Ver}\left( {{g\;{param}},{apk}_{t},m,{{\mathbb{S}}:=\left( {M,\rho} \right)},{\overset{->}{s}}^{*}} \right)}{\overset{->}{f}\overset{U}{\longleftarrow}{\mathbb{R}}^{r}}},{{\overset{->}{s}}^{T}:={\left( {s_{1},\ldots\mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{->}{f}}^{T}}}},{s_{0}:={\overset{->}{1} \cdot {\overset{->}{f}}^{T}}},{{\overset{->}{f}}^{\prime}\overset{R}{\longleftarrow}{\mathbb{R}}^{r}},\mspace{14mu}{{s.t.\mspace{14mu} s_{0}} = {\overset{->}{1} \cdot {\overset{->}{f}}^{\prime\; T}}},{{\overset{->}{s}}^{\prime\; T}:={\left( {s_{1}^{\prime},\ldots\mspace{14mu},s_{L}^{\prime}} \right)^{T}:={M \cdot {\overset{->}{f}}^{\prime\; T}}}},} & \left\lbrack {{Formula}\mspace{14mu} 210} \right\rbrack \\ {{\overset{->}{\sigma}:={\left( {\sigma_{1},\ldots\mspace{14mu},\sigma_{L}} \right)\overset{U}{\longleftarrow}{\mathbb{R}}^{L}}},{\sigma_{0}:={\overset{->}{1} \cdot {\overset{->}{\sigma}}^{T}}},{{{for}\mspace{14mu} 1} \leq i \leq L},\mspace{76mu}{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,{\overset{->}{v}}_{i}} \right)},{{{if}\mspace{14mu} s_{i}^{*}} \notin {{\mathbb{V}}_{t}\mspace{14mu}{return}\mspace{14mu} 0}},{{else}\mspace{14mu}\theta_{i}},\theta_{i}^{\prime},\theta_{i}^{\prime\prime},{\overset{U}{\longleftarrow}{\mathbb{R}}},{{\overset{->}{\eta}}_{i}\overset{U}{\longleftarrow}{\mathbb{R}}^{z_{t}}}} & \; \\ {{c_{i}:={\left( {\overset{\overset{n_{t}}{︷}}{{s_{i} + {\theta_{i}v_{i,1}}},{\theta_{i}v_{i,2}},\ldots\mspace{14mu},{\theta_{i}v_{i,n_{t}}}},\overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime} + {\theta_{i}^{\prime}v_{i,1}}},{\theta_{i}^{\prime}v_{i,2}},\ldots\mspace{11mu},{\theta_{i}^{\prime}v_{i,n_{t}}}},{\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}{H_{2}\left( {m,{\mathbb{S}}} \right)}}},\theta_{i}^{\prime\prime},}\overset{\overset{u_{t}}{︷}}{0^{u_{t}}}},\overset{\overset{w_{t}}{︷}}{0^{w_{t}}},\overset{\overset{z_{t}}{︷}}{\eta_{i,1},\ldots\mspace{14mu},\eta_{i,z_{t}}}} \right){\mathbb{B}}_{t}}},\;{{{if}\;{\rho(i)}} = {⫬ \left( {t,{\overset{->}{v}}_{i}} \right)}},{{{if}\; s_{i}^{*}} \notin {{\mathbb{V}}_{t}\mspace{14mu}{return}\mspace{14mu} 0}},{{else}\mspace{11mu}{\theta_{i}^{''}\overset{U}{\longleftarrow}{\mathbb{R}}}},{{\overset{->}{\eta}}_{i}\overset{U}{\longleftarrow}{\mathbb{R}}^{z_{t}}}} & \; \\ {{{c_{i}:={\left( {{\overset{\overset{n_{t}}{︷}}{{s_{i}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},}\overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},}\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}H_{2}\left( {m,{\mathbb{S}}} \right)}},\theta_{i}^{\prime\prime},}\overset{\overset{u_{t}}{︷}}{0^{u_{t}}}},\overset{\overset{w_{t}}{︷}}{0^{w_{t}}},\overset{\overset{z_{t}}{︷}}{\eta_{i,1},\ldots\mspace{14mu},n_{i,z_{t}}}} \right){\mathbb{B}}_{t}}},}\mspace{14mu}} & \; \\ {{{{return}\mspace{14mu} 1\mspace{14mu}{if}\mspace{14mu}{\prod\limits_{i = 1}^{L}{{\mathbb{e}}\left( {c_{i},s_{i}^{*}} \right)}}} = {g_{T}^{s_{0}}g_{0}^{\sigma_{0}}}},{{return}\mspace{14mu} 0\mspace{14mu}{{otherwise}.}}} & \; \end{matrix}$

From the viewpoint of security proof, in the above embodiments, ρ(i) for each integer i=1, . . . , L may be limited to a positive tuple (t, v^(→) _(i)) or negative tuple

(t, v^(→) _(i)) for different identification information t.

In other words, when ρ(i)=(t, v^(→) _(i)) or ρ(i)=

(t, v^(→) _(i)), let a function ρ^(˜) be map of {1, . . . , L}→{1, . . . , d} with which ρ^(˜)(i)=t is established. In this case, ρ^(˜) may be limited to injection. Note that ρ(i) is ρ(i) in the access structure S:=(M, ρ(i)) described above.

In the above description, the span program M^ accepts the input sequence δ if and only if linear combination of the rows of the matrix M_(δ) obtained from the matrix^ by the input sequence δ gives 1^(→). Alternatively, the span program M^ may accept the input sequence δ if and only if another vector h^(→) is obtained instead of 1^(→).

In this case, in the KeyGen algorithm, s₀:=h^(→)·f^(→T) may be set instead of s₀:=1^(→)·f^(→T).

The hardware configuration of the signature processing system 10 (the key generation device 100, the signature device 200, and the verification device 300) in the above embodiments will be described.

FIG. 23 is a diagram showing an example of the hardware configuration of each of the key generation device 100, signature device 200, and verification device 300.

As shown in FIG. 23, each of the key generation device 100, signature device 200, and verification device 300 includes the CPU 911 (also referred to as a Central Processing Unit, central processing device, processing device, computation device, microprocessor, microcomputer, or processor) which executes programs. The CPU 911 is connected to the ROM 913, the RAM 914, an LCD 901 (Liquid Crystal Display), a keyboard 902 (K/B), the communication board 915, and the magnetic disk device 920 via a bus 912, and controls these hardware devices. In place of the magnetic disk device 920 (fixed disk device), a storage device such as an optical disk device or memory card read/write device may be employed. The magnetic disk device 920 is connected via a predetermined fixed disk interface.

The ROM 913 and the magnetic disk device 920 are examples of a nonvolatile memory. The RAM 914 is an example of a volatile memory. The ROM 913, the RAM 914, and the magnetic disk device 920 are examples of the storage device (memory). The keyboard 902 and the communication board 915 are examples of an input device. The communication board 915 is an example of a communication device. Furthermore, the LCD 901 is an example of a display device.

The magnetic disk device 920, ROM 913, or the like stores an operating system 921 (OS), a window system 922, programs 923, and files 924. The CPU 911, the operating system 921, and the window system 922 execute each program of the programs 923.

The programs 923 store software and programs that execute the functions described as the “master key generation part 110”, “master key storage part 120”, “information input part 130”, “signing key generation part 140”, “key distribution part 150”, “signing key acquisition part 210”, “information input part 220”, “span program calculation part 230”, “complementary coefficient calculation part 240”, “signature data generation part 250”, “signature data transmission part 260”, “public parameter acquisition part 310”, “data reception part 320”, “verification key generation part 330”, “pairing operation part 340”, and the like in the above description. The programs 923 store other programs as well. The programs are read and executed by the CPU 911.

The files 924 store information, data, signal values, variable values, and parameters such as the “public parameter”, “master key”, “signature data σ”, “signing key”, “access structure S”, “attribute information”, “attribute set Γ”, “message m”, and the like of the above explanation, as the items of a “file” and “database”. The “file” and “database” are stored in a recording medium such as a disk or memory. The information, data, signal values, variable values, and parameters stored in the recording medium such as the disk or memory are read out to the main memory or cache memory by the CPU 911 through a read/write circuit, and are used for the operations of the CPU 911 such as extraction, search, look-up, comparison, computation, calculation, process, output, print, and display. The information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, or buffer memory during the operations of the CPU 1911 including extraction, search, look-up, comparison, computation, calculation, process, output, print, and display.

The arrows of the flowcharts in the above explanation mainly indicate input/output of data and signals. The data and signal values are stored in the memory of the RANI 914, the recording medium such as an optical disk, or in an IC chip. The data and signals are transmitted online via a transmission medium such as the bus 912, signal lines, or cables; or electric waves.

The “part” in the above explanation may be a “circuit”, “device”, “equipment”, “means” or “function”; or a “step”, “procedure”, or “process”. The “device” may be a “circuit”, “equipment”, “means”, or “function”; or a “step”, “procedure”, or “process”. The “process” may be a “step”. Namely, the “part” may be implemented as firmware stored in the ROM 913. Alternatively, the “part” may be practiced as only software; as only hardware such as an element, a device, a substrate, or a wiring line; as a combination of software and hardware; or furthermore as a combination of software, hardware, and firmware. The firmware and software are stored, as programs, in the recording medium such as the ROM 913. The program is read by the CPU 911 and executed by the CPU 911. Namely, the program causes the computer to function as a “part” described above. Alternatively, the program causes the computer or the like to execute the procedure and method of the “part” described above.

REFERENCE SIGNS LIST

-   -   10: signature processing system; 100: key generation device;         110: master key generation part; 111: global parameter         generation part; 112: authority secret key generation part; 120:         master key storage part; 130: information input part; 140:         signing key generation part; 141: random number generation part;         142: key element 0 generation part; 143: key element t         generation part; 144: key element d+1 generation part; 145: key         element generation part; 150: key distribution part; 200:         signature device; 210: signing key acquisition part; 220:         information input part; 221: predicate information input part;         222: message input part; 230: span program calculation part;         240: complementary coefficient calculation part; 250: signature         data generation part; 251: random number generation part; 252:         signature element 0 generation part; 253: signature element i         generation part; 254: signature element L+1 generation part;         255: signature element generation part; 260: signature data         transmission part; 300: verification device; 310: public         parameter acquisition part; 320: data reception part; 330:         verification key generation part; 331: random number generation         part; 332: f vector generation part; 333: s vector generation         part; 334: verification element 0 generation part; 335:         verification element i generation part; 336: verification         element L+1 generation part; 337: verification element         generation part; 340: pairing operation part. 

The invention claimed is:
 1. A signature processing system comprising: a key generation device, a signature device, and a verification device, and serving to execute a signature process using a basis B_(t) and a basis B*_(t) for each integer t=0, . . . , d+1 (d is an integer of 1 or more), wherein the key generation device includes a first information input part which takes as input an attribute set Γ including identification information t and attribute information x^(→) _(t):=(x_(t,i)) (i=1, . . . , n_(t) where n_(t) is an integer of 1 or more) for at least one integer t=1, . . . , d, a key element 0 generation part which generates a key element k*₀ where a predetermined value δ is set as a coefficient for a basis vector b*_(0,1) of a basis B*₀, a key element t generation part which generates a key element k*_(t) where δx_(t,i) (i=1, . . . , n_(t)) obtained by multiplying the attribute information x^(→) _(t) by the predetermined value δ is set as a coefficient for a basis vector b*_(t,i) (i=1, . . . , n_(t)) of the basis B*_(t), concerning each identification information t included in the attribute set Γ inputted by the first information input part, a key element d+1 generation part which generates a key element k*_(d+1,1) where the predetermined value δ is set as a coefficient for a basis vector b*_(d+1,1) of a basis B*_(d+1), and a key element k*_(d+1,2) where the predetermined value δ is set as a coefficient for a basis vector b*_(d+1,2) of the basis B*_(d+1), and a signing key transmission part which transmits, to the signature device, a signing key sk_(Γ) including: the key element k*₀ generated by the key element 0 generation part; the key element k*_(t) generated by the key element t generation part concerning each identification information t included in the attribute set F; the key element k*_(d+1,1) and the key element k*_(d+1,2) which are generated by the key element d+1 generation part; and the attribute set Γ, wherein the signature device includes a signature element 0 generation part which generates a signature element s*₀ including the key element k*₀ included in the signing key sk_(Γ), a signature element i generation part which generates, for each integer i=1 . . . , L, a signature element s*_(i) including γ_(i)k*_(t) obtained by multiplying the key element k*_(t) included in the signing key sk_(Γ) by a value γ_(i), by setting the value γ_(i) to satisfy γ_(i):=α_(i) when the integer i is included in the set I specified by the complementary coefficient calculation part and the variable ρ(i) is a positive tuple (t, v^(→) _(i)); by setting the value γ_(i) to satisfy γ_(i):=α_(i)/(v^(→) _(i)·x^(→) _(t)) when the integer i is included in the set I and the variable ρ(i) is a negative tuple

(t, v^(→) i); and by setting the value γ_(i) to satisfy γ_(i):=0 when the integer i is not included in the set I, a signature element L+1 generation part which generates a signature element s*_(L+1) including a sum of the key element k*_(d+1,1) included in the signing key sk_(Γ) and m′·k*_(d+1,2) obtained by multiplying the key element k*_(d+1,2) by a value m′ generated using the message m, and a signature data transmission part which transmits, to the verification device, signature data σ including: the signature element s*₀ generated by the signature element 0 generation part; the signature element s*_(i) generated for each integer i=1, . . . , L by the signature element i generation part; the signature element s*_(L+1) generated by the signature element L+1 generation part; the message m; the variable ρ(i); and the matrix M, and wherein the verification device includes a data acquisition part which acquires the signature data σ transmitted by the signature data transmission part, a verification element 0 generation part which generates a verification element c₀ by setting, as a coefficient for a basis vector b_(0,1) of a basis B₀, −s₀−s_(L+1) calculated from a value s₀:=h^(→)·f^(→) and a predetermined value s_(L+1), the value s₀:=h^(→)·f^(→) being generated using a vector f^(→) having r pieces of elements, and the vector h^(→), a verification element i generation part which, for each integer i=1, . . . ,L and using a column vector s^(→T):=(s₁, . . . , s_(L))^(T):=M·f^(→T) generated based on the vector f^(→) and the matrix M which is included in the signature data σ acquired by the data acquisition part, and a predetermined number θ_(i) for each integer i=1, . . . , L, generates a verification element c_(i), when the variable ρ(i) is a positive tuple (t, v^(→) _(i)), by setting s_(i)+θ_(i)v_(i,1) as a coefficient for a basis vector b_(t,1) of the basis B_(t) indicated by identification information t of the positive tuple and by setting θ_(i)v_(i,i′) (i′=2, . . . , n_(t)) as a coefficient for a basis vector b_(t,i′) (i′=2, . . . , n_(t)), and generates a verification element c_(i), when the variable ρ (i) is a negative tuple

(t, v^(→) _(i)), by setting s_(i)v_(i,i′) (i′=1, . . . , n_(t)) as a coefficient for the basis vector b_(t,i′) (i′=1, . . . , n_(t)) indicated by identification information t of the negative tuple, a verification element L+1 generation part which generates a verification element c_(L+1) by setting s_(L+1)−θ_(L+1)m′ calculated from the predetermined value s_(L+1), the value m′, and a predetermined value θ_(L+1) as a coefficient for a basis vector b_(d+1,1) of a basis B_(d+1), and by setting the predetermined value θ_(L+1) as a coefficient for a basis vector b_(d+1,2), and a pairing operation part which verifies an authenticity of the signature data a by conducting a pairing operation Π_(i=0) ^(L+1)e(c_(i),s*_(i)) for the verification element c₀ generated by the verification element 0 generation part, the verification element c_(i) generated by the verification element i generation part, the verification element c_(L+1) generated by the verification element L+1 generation part, and the signature elements s*₀, s*_(i), and s*_(L+1) included in the signature data σ.
 2. The signature processing system according to claim 1, which executes the signature process using a basis B₀ having at least the basis vector b_(t,i) (i=1, . . . , 1+u₀, . . . , 1+u₀+w₀, . . . , 1+u₀+w₀+z₀), the basis B_(t) (t=1, . . . , d) having at least the basis vector b_(t,i) (i=1, . . . , n_(t), n_(t)+u_(t), . . . , n_(t)+u_(t)+w_(t), . . . , n_(t)+u_(t)+w_(t)+z_(t)) (u_(t), w_(t), and z_(t) are each an integer of 1 or more), the basis B_(d+1) having at least the basis vector b_(t,i) (i=1, 2, . . . , 2+u_(d+1), . . . , 2+u_(d+1)+w_(d+1), . . . , 2+u_(d+1)+w_(d+1)+z_(d+1)), the basis B*₀ having at least a basis vector b*_(t,i) (i=1, . . . , 1+u₀, . . . , 1+u₀+w₀, . . . , 1+u₀+w₀+z₀), the basis B*_(t) (t=1, . . . , d) having at least the basis vector b*_(t,i) (i=1, . . . , n_(t), . . . , n_(t)+u_(t), . . . , n_(t)+u_(t)+w_(t), . . . , n_(t)+u_(t)+w_(t)+z_(t)) (u_(t), w_(t), and z_(t) are each an integer of 1 or more), and the basis B*_(d+1) having at least the basis vector b*_(t,i) (i=1, 2, . . . , 2+u_(d+1), . . . , 2+u_(d+1)+w_(d+1), . . . , 2+u_(d+1)+w_(d+1)+z_(d+1)), wherein, in the key generation device, the key element 0 generation part generates the key element k*₀ indicated in Formula 1 based on a random number δ and a random number φ_(0,i) (i=1, . . . , w₀), the key element t generation part generates the key element k*_(i) indicated in Formula 2 for each identification information t included in the attribute set Γ based on the random number δ and a random number φ_(i,i) (i=1, . . . , w_(t)), and the key element d+1 generation part generates the key element k*_(d+1,1) and the key element k*_(d+1,2) which are indicated in Formula 3 based on the random number δ, a random number φ_(d+1,1,i) (i=1, . . . , w_(d+1)), and a random number φ_(d+1,2,i) (i=1, . . . , w_(d+1)), wherein, in the signature device, the signature element 0 generation part generates the signature element s*₀ indicated in Formula 4 based on a random number 4, the signature element i generation part generates the signature element s*_(i) indicated in Formula 5 for each integer i=1, . . . , L based on the random number ξ, and the signature element L+1 generation part generates the signature element s*_(L+1) indicated in Formula 6 based on the random number ξ and the value m′, and wherein, in the verification device, the verification element 0 generation part generates the verification element c₀ indicated in Formula 7 based on the value s₀, the random number s_(L+1), and a random number η_(0,i) (i=1, . . . , z₀), the verification element i generation part generates the verification element c_(i) indicated in Formula 8 for each integer i=1, . . . , L based on the column vector s^(→T), the random number 74 _(i), and a random number η_(i,i′) (i=1, . . . , L; i′=1, . . . , z_(t)), and the verification element L+1 generation part generates the element c_(L+1) indicated in Formula 9 based on the random number s_(L+1), the random number θ_(L+1,) a random number η_(L+1,i′) (i′=1, . . . , z_(d+1)), and the value m′, $\begin{matrix} {\mspace{79mu}{k_{0}^{*}:={\left( {\delta,\overset{\overset{u_{0}}{︷}}{0^{u_{0}}},\overset{\overset{w_{0}}{︷}}{\varphi_{0,1},\ldots\mspace{14mu},\varphi_{0,w_{0}}},\overset{\overset{z_{0}}{︷}}{0^{z_{0}}}} \right)B_{0}^{*}}}} & \left\lbrack {{Formula}\mspace{14mu} 1} \right\rbrack \\ {k_{t}^{*}:={\left( {\overset{\overset{n_{t}}{︷}}{\delta\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)},\overset{\overset{u_{t}}{︷}}{0^{u_{t}}},\overset{\overset{w_{t}}{︷}}{\varphi_{t,1},\ldots\mspace{14mu},\varphi_{t,w_{t}}},\overset{\overset{z_{t}}{︷}}{0^{z_{t}}}} \right)B_{t}^{*}}} & \left\lbrack {{Formula}\mspace{14mu} 2} \right\rbrack \\ {{k_{{d + 1},1}^{*}:={\left( {\overset{\overset{2}{︷}}{\delta\left( {1,0} \right)},\overset{\overset{u_{d + 1}}{︷}}{0^{u_{d + 1}}},\overset{\overset{w_{d + 1}}{︷}}{\varphi_{{d + 1},1,1},\ldots\mspace{14mu},\varphi_{{d + 1},1,w_{d + 1}}},\overset{\overset{z_{d + 1}}{︷}}{0^{z_{d + 1}}}} \right)B_{d + 1}^{*}}},{k_{{d + 1},2}^{*}:={\left( {\overset{\overset{2}{︷}}{\delta\left( {0,1} \right)},\overset{\overset{u_{d + 1}}{︷}}{0^{u_{d + 1}}},\overset{\overset{w_{d + 1}}{︷}}{\varphi_{{d + 1},2,1},\ldots\mspace{14mu},\varphi_{{d + 1},2,w_{d + 1}}},\overset{\overset{z_{d + 1}}{︷}}{0^{z_{d + 1}}}} \right)B_{d + 1}^{*}}}} & \left\lbrack {{Formula}\mspace{14mu} 3} \right\rbrack \\ {{s_{0}^{*}:={{\xi\; k_{0}^{*}} + r_{0}^{*}}},{{where}\mspace{14mu}{r_{0}^{*}\overset{U}{\longleftarrow}{span}}\mspace{14mu}\left\langle {b_{0,{1 + u_{t} + 1}}^{*},\ldots\mspace{14mu},b_{0,{1 + u_{t} + w_{t}}}^{*}} \right\rangle}} & \left\lbrack {{Formula}\mspace{14mu} 4} \right\rbrack \\ {{s_{i}^{*}:={{{{\gamma_{i} \cdot \xi}\; k_{t}^{*}} + {\sum\limits_{t = 1}^{n_{t}}{y_{i,t} \cdot b_{t,l}^{*}}} + {r_{i}^{*}\mspace{14mu}{for}\mspace{14mu} 1}} \leq i \leq L}},\mspace{79mu}{where}} & \left\lbrack {{Formula}\mspace{14mu} 5} \right\rbrack \\ {{{{r_{i}^{*}\overset{U}{\longleftarrow}{span}}\mspace{14mu}\left\langle {b_{t,{n_{t} + u_{t} + 1}}^{*},\ldots\mspace{14mu},b_{t,{n_{t} + u_{t} + w_{t}}}^{*}} \right\rangle},\mspace{14mu}\gamma_{i},{{\overset{->}{y}}_{i}:={\left( {y_{i,1},\ldots\mspace{14mu},y_{i,n_{t}}} \right)\mspace{14mu}{are}\mspace{14mu}{defined}\mspace{14mu}{as}}}}{{{{{{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = \left( {t,v_{i}} \right)},{\gamma_{i}:=\alpha_{i}},\mspace{14mu}{{\overset{->}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ y_{i,1}} = \beta_{i}}} \right\}},}} & \; \\ {{{{{{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}},\mspace{14mu}{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot {\overset{->}{x}}_{t}}},{{\overset{->}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = \left( {t,v_{i}} \right)},{\gamma_{i}:=0},\mspace{14mu}{{\overset{->}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ y_{i,1}} = \beta_{i}}} \right\}},} & \; \\ {{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}},\mspace{14mu}{\gamma_{i}:=0},{\overset{->}{y_{i}}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},\mspace{14mu}{\left( \beta_{i} \right)\overset{U}{\longleftarrow}\left\{ {\left. \left( {\beta_{1},\ldots\mspace{14mu},\beta_{L}} \right) \middle| {\sum\limits_{i = 1}^{L}{\beta_{i}M_{i}}} \right. = \overset{->}{0}} \right\}}} & \; \\ {\;{{s_{L + 1}^{*}:={{\xi\left( {k_{{d + 1},1}^{*} + {m^{\prime} \cdot k_{{d + 1},2}^{*}}} \right)} + r_{L + 1}^{*}}},{{where}\mspace{14mu}{r_{L + 1}^{*}\overset{U}{\longleftarrow}{span}}\mspace{14mu}\left\langle {b_{{d + 1},{2 + u_{d + 1} + 1}}^{*},\ldots\mspace{14mu},b_{{d + 1},{2 + u_{d + 1} + w_{d + 1}}}^{*}} \right\rangle}}} & \left\lbrack {{Formula}\mspace{14mu} 6} \right\rbrack \\ {c_{0}:={\left( {{{- s_{0}} - s_{L + 1}},\overset{\overset{u_{0}}{︷}}{0^{u_{0}}},\overset{\overset{w_{0}}{︷}}{0^{w_{0}}},\overset{\overset{z_{0}}{︷}}{\eta_{0,1},\ldots\mspace{14mu},\eta_{0,z_{0}}}} \right)B_{0}}} & \left\lbrack {{Formula}\mspace{14mu} 7} \right\rbrack \\ {{{{if}\mspace{14mu}{\rho(i)}} = \left( {t,v_{i}} \right)},{c_{i}:={\left( {\overset{\overset{n_{t}}{︷}}{{s_{i} + {\theta_{i}v_{i,1}}},{\theta_{i}v_{i,2}},\ldots\mspace{14mu},{\theta_{i}v_{i,n_{t}}}},\overset{\overset{u_{t}}{︷}}{0^{u_{t}}},\overset{\overset{w_{t}}{︷}}{0^{w_{t}}},\overset{\overset{z_{t}}{︷}}{\eta_{i,1},\ldots\mspace{14mu},\eta_{i,z_{t}}}} \right)B_{t}}},{{{if}\mspace{14mu}{\rho(i)}} = {⫬ \left( {t,v_{i}} \right)}},} & \left\lbrack {{Formula}\mspace{14mu} 8} \right\rbrack \\ {c_{i}:={\left( {\overset{\overset{n_{t}}{︷}}{s_{i}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},\overset{\overset{u_{t}}{︷}}{0^{u_{t}}},\overset{\overset{w_{t}}{︷}}{0^{w_{t}}},\overset{\overset{z_{t}}{︷}}{\eta_{i,1},\ldots\mspace{14mu},\eta_{i,z_{t}}}} \right)B_{t}}} & \; \\ {c_{L + 1}:={\left( {\overset{\overset{2}{︷}}{{s_{L + 1} - {\theta_{L + 1}m^{\prime}}},\theta_{L + 1}},\overset{\overset{u_{d + 1}}{︷}}{0^{u_{d + 1}}},\overset{\overset{w_{d + 1}}{︷}}{0^{w_{d + 1}}},\overset{\overset{z_{d + 1}}{︷}}{\eta_{{L + 1},1},\ldots\mspace{14mu},\eta_{{L + 1},z_{d + 1}}}} \right){B_{d + 1}.}}} & \left\lbrack {{Formula}\mspace{14mu} 9} \right\rbrack \end{matrix}$
 3. The signature processing system according to claim 1, wherein, in the signature device, the signature element L+1 generation part generates the signature element s*_(L+1) using a hash value obtained upon input of the message m, the matrix M, and the variable ρ(i) for each integer i=1, . . . , L, as the value m′, and wherein, in the verification device, the verification element L+1 generation part generates the verification element c_(L+1) using the hash value as the value m′.
 4. A signature processing system comprising: d (d is an integer of 1 or more) units of key generation devices, a signature device, and a verification device, and serving to execute a signature process using a basis B_(t) and a basis B*_(t) for at least one integer t=0, . . . , d, wherein each of the d units of key generation devices includes a first information input part which takes as input attribute information x^(→) _(t):=(x_(t,i)) (i=1, . . . , n_(t) where n_(t) is an integer of 1 or more) for an integer t among integers t=1, . . . , d which is predetermined for each of the key generation devices, a key element generation part which, for the integer t and each integer j=1, 2, generates a key element k*_(t,j) including a vector indicated in Formula 10 based on the attribute information x^(→) _(t) inputted by the first information input part, a predetermined value δ_(j), and a basis vector b*_(t,i) (i=1, . . . , 2n_(t)) of the basis B*_(t), and a signing key transmission part which transmits, to the signature device, a signing key usk including: the key element k*_(t,j) generated by the key element generation part; and the attribute information x^(→) _(t), a second information input part which takes as input a variable ρ(i) for each integer i=1, . . . , L (L is an integer of 1 or more), which variable ρ(i) is either one of a positive tuple (t, v^(→) _(i)) and a negative tuple

(t, v^(→) _(i)) of the identification information t (t is any one integer of t=1, . . . , d) and attribute information v^(→) _(i):=(v_(i,i′))(i′=1, . . . , n_(t)); a predetermined matrix M having L rows and r columns (r is an integer of 1 or more); and a message m, a signing key acquisition part which acquires the signing key sk_(Γ) transmitted by the signing key transmission part, a complementary coefficient calculation part which, based on the variable ρ(i) inputted by the second information input part and the attribute set Γ included in the signing key sk_(Γ) acquired by the signing key acquisition part, specifies, among integers i=1, . . . , L, a set I of an integer i for which the variable ρ(i) is a positive tuple (t, v^(→) _(i)) and with which an inner-product of v^(→) _(i) of the positive tuple and x^(→) _(t) included in the attribute set Γ indicated by identification information t of the positive tuple becomes 0, and an integer i for which the variable ρ(i) is a negative tuple

(t, v^(→) _(i)) and with which an inner-product of v^(→) _(i) of the negative tuple and x^(→) _(t) included in the attribute set Γ indicated by identification information t of the negative tuple does not become 0; and calculates, concerning i included in the set I specified, a complementary coefficient α_(i) with which a total of α_(i)M_(i) based on M_(i) which is an element on an i-th row of the matrix M inputted by the second information input part becomes a predetermined vector h^(→), wherein the signature device includes a second information input part which takes as input a variable ρ(i) for each integer i=1, . . . , L (L is an integer of 1 or more), which variable ρ(i) is either one of a positive tuple (t, v^(→) _(i)) and a negative tuple

(t, v^(→) _(i)) of the identification information t (t is any one integer of t=1, . . . , d) and attribute information v^(→) _(i):=(v_(i,i′))(i′=1, . . . , n_(t)); a predetermined matrix M having L rows and r columns (r is an integer of 1 or more); and a message m, a signing key acquisition part which acquires the signing key usk transmitted by the signing key transmission part of at least one key generation device among the d units of key generation devices, a complementary coefficient calculation part which, based on the variable ρ(i) inputted by the second information input part and the attribute information x^(→) _(t) included in the signing key usk acquired by the signing key acquisition part, specifies, among integers i=1, . . . , L, a set I of an integer i for which the variable ρ(i) is a positive tuple (t, v^(→) _(i)), the signing key usk including x^(→) _(t) indicated by identification information t of the positive tuple being acquired by the signing key acquisition part, and with which an inner-product of v^(→) _(i) of the positive tuple and the attribute information x^(→) _(t) indicated by the identification information t of the positive tuple becomes 0, and an integer i for which the variable ρ(i) is a negative tuple

(t, v^(→) _(i)), the signing key usk including x^(→) _(t) indicated by identification information t of the negative tuple being acquired by the signing key acquisition part, and with which an inner-product of v^(→) _(i) of the negative tuple and the attribute information x^(→) _(t) indicated by the identification information t of the negative tuple does not become 0; and calculates, concerning i included in the set I specified, a complementary coefficient α_(i) with which a total of α_(i)M_(i) based on M_(i) which is an element on an i-th row of the matrix M inputted by the second information input part becomes a predetermined vector h^(→), a signature element generation part which generates, for each integer i=1, . . . , L, a signature element s*_(i) including a vector indicated in Formula 11 using the basis vector b*_(t,i) (i=2n_(t)+1, 2n_(t)+2) of the basis B*_(t), based on a key element k*_(t,1) and a key element k*_(t,2) included in the signing key usk, predetermined values ξ₁, E, and μ, and a value m′ calculated from the message m, by setting a value γ_(i) to satisfy γ_(i):=α_(i) when the integer i is included in the set I specified by the complementary coefficient calculation part and the variable ρ(i) is a positive tuple (t, v^(→) _(i)); by setting the value γ_(i) to satisfy γ_(i):=α_(i)/(v_(i)·x_(t)) when the integer i is included in the set I and the variable ρ(i) is a negative tuple

(t, v^(→) _(i)); and by setting the value γ_(i) to satisfy γ_(i):=0 when the integer i is not included in the set I, and a signature data transmission part which transmits, to the verification device, signature data σ including: the signature element s*_(i) generated for each integer i=1, . . . , L by the signature element generation part; the message m; the variable ρ(i); and the matrix M, and wherein the verification device includes a data acquisition part which acquires the signature data σ transmitted by the signature data transmission part, a vector generation part which generates a column vector s^(→T):=(s₁, . . . , s_(L))^(T):=M·f^(→T) based on a vector f^(→) having r pieces of elements and the matrix M included in the signature data σ acquired by the data acquisition part, and generates a column vector (s^(→′))^(T):=(s₁′, . . . , s_(L)′)^(T):=M·(f^(→)′)^(T) based on the matrix M and a vector f^(→1) having r pieces of elements and satisfying s₀=h^(→)·(f^(→)′)^(T) where s₀=h^(→)·f^(→T), a verification element generation part which, for each integer i=1, . . . , L and based on the column vector s^(→T) and the column vector (s^(→)′)^(T) which are generated by the vector generation part, and predetermined values θ_(i), θ_(i)′, θ_(i)″, and σ_(i) for each integer i=1, . . . , L, generates a verification element c_(i) including a vector indicated in Formula 12, when the variable ρ(i) is a positive tuple (t, v^(→) _(i)), using a basis vector b_(t,i′) (i=1, . . . , 2n_(t)+2) of the basis B_(t) indicated by identification information t of the positive tuple, and generates a verification element c_(i) including a vector indicated in Formula 13, when the variable ρ(i) is a negative tuple

(t, v^(→) _(i)), using a basis vector b_(t,i) (i=1, . . . , 2n_(t)+2) indicated by identification information t of the negative tuple, and a pairing operation part which verifies an authenticity of the signature data σ by conducting a pairing operation Π_(i=1) ^(L)e(c_(i),s*_(i)) for the verification element c_(i) generated by the verification element generation part, and the signature element s*_(i) included in the signature data σ, $\begin{matrix} {\left( {\overset{\overset{n_{t}}{︷}}{\left( {\delta_{j} + 1} \right)\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)},\overset{\overset{n_{t}}{︷}}{- {\delta_{j}\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)}},0,\ldots\mspace{14mu},0} \right)B_{t}^{*}} & \left\lbrack {{Formula}\mspace{14mu} 10} \right\rbrack \\ {{\gamma_{i} \cdot \left( {{\xi_{1}k_{t,1}^{*}} + {\left( {E - \xi_{1}} \right)k_{t,2}^{*}}} \right)} + \left( {\mu\; b_{t,{{2n_{t}} + 1}}^{*}} \right) + {m^{\prime}\left( {\mu\; b_{t,{{2n_{t}} + 2}}^{*}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 11} \right\rbrack \\ {\left( {\overset{\overset{n_{t}}{︷}}{{s_{i} + {\theta_{i}v_{i,1}}},{\theta_{i}v_{i,2}},\ldots\mspace{14mu},{\theta_{i}v_{i,n_{t}}}},\overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime} + {\theta_{i}^{\prime}v_{i,1}}},{\theta_{i}^{\prime}v_{i,2}},\ldots\mspace{11mu},{\theta_{i}^{\prime}v_{i,n_{t}}}},\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}m^{\prime}}},\theta_{i}^{\prime\prime}},0,\ldots\mspace{14mu},0} \right)B_{t}} & \left\lbrack {{Formula}\mspace{14mu} 12} \right\rbrack \\ {\left( {\overset{\overset{n_{t}}{︷}}{s_{i}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},\overset{\overset{n_{t}}{︷}}{s_{i}^{\prime}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}m^{\prime}}},\theta_{i}^{\prime\prime}},0,\ldots\mspace{14mu},0} \right){B_{t}.}} & \left\lbrack {{Formula}\mspace{14mu} 13} \right\rbrack \end{matrix}$
 5. The signature processing system according to claim 4, which executes the signature process using, for at least one integer t=1, . . . , d, the basis B_(t) having at least the basis vector b_(t,i) (i=1, . . . , 2n_(t)+2, . . . , 2n_(t)+2+u_(t), . . . , 2n_(t)+2+u_(t)+w_(t), . . . , 2n_(t)+2+u_(t)+w_(t)+z_(t)) (where u_(t), w_(t), and z_(t) are each an integer of 1 or more), and the basis B*_(t) having at least the basis vector b*_(t,i) (i=1, . . . , 2n_(t)+2, . . . , 2n_(t)+2+u_(t), . . . 2n_(t)+2+u_(t)+w_(t), . . . 2n_(t)+2+u_(t)+w_(t)+z_(t)), wherein, in the key generation device, the key element k*_(t,j) indicated in Formula 14 is generated for the integer t and each integer j=1, 2 based on the attribute information x^(→) _(t), the predetermined values δ and Δ, and a random number φ_(t,j,i) (j=1, 2; i=1, . . . , w_(t)), wherein, in the signature device, the signature element generation part generates, for each integer i=1 . . . , L, the signature element s*_(i) indicated in Formula 16 using r*_(i), γ_(i), y^(→) _(i):=(y_(i,i)) (i=1, . . . , n_(t)), and y′^(→) _(i)=(y′_(i,i))(i=1, . . . , n_(t)) indicated in Formula 15, based on the key element k*_(t,1) and the key element k*_(t,2), random numbers ξ₁ and ξ₂, predetermined values E, π, π′, and μ, and the value m′, and wherein, in the verification device, the verification element generation part, for each integer i=1, . . . , L and based on the column vector s^(→T) and the column vector (s^(→)′)^(T), random numbers θ_(i), θ_(i)′, and θ_(i)″, the predetermined value σ_(i), and a random number η_(i,i′) (i=1, . . . , L; i′=1, . . . , z_(t)), generates the verification element c_(i) indicated in Formula 17 when the variable ρ(i) is a positive tuple (t, v^(→) _(i)), and generates the verification element c_(i) indicate in Formula 18 when the variable ρ(i) is a negative tuple

(t, v^(→) _(i)), $\begin{matrix} {k_{t,j}^{*}:={\left( {\overset{\overset{n_{t}}{︷}}{\left( {\delta_{j} + \Delta} \right)\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)},\overset{\overset{n_{t}}{︷}}{- {\delta_{j}\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)}},\overset{\overset{2}{︷}}{0^{2}},\overset{\overset{u_{t}}{︷}}{0^{u_{t}}},\overset{\overset{w_{t}}{︷}}{\varphi_{t,j,1},\ldots\mspace{14mu},\varphi_{t,j,w_{t}}},\overset{\overset{z_{t}}{︷}}{0^{z_{t}}}} \right)B_{t}^{*}}} & \left\lbrack {{Formula}\mspace{14mu} 14} \right\rbrack \\ {{{{r_{i}^{*}\overset{U}{\longleftarrow}{span}}\mspace{14mu}\left\langle {b_{t,{{2n_{t}} + 2 + u_{t} + 1}}^{*},\ldots\mspace{14mu},b_{t,{{2n_{t}} + 2 + u_{t} + w_{t}}}^{*}} \right\rangle}{{{{{{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = \left( {t,{\overset{->}{v}}_{i}} \right)},{\gamma_{i}:=\alpha_{i}},\mspace{14mu}{{\overset{->}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ y_{i,1}} = \beta_{i}}} \right\}},}}\mspace{20mu}} & \left\lbrack {{Formula}\mspace{14mu} 15} \right\rbrack \\ {{{{{{\overset{->}{y_{i}^{\prime}}\overset{U}{\longleftarrow}\left\{ {\left. \overset{->}{y_{i}^{\prime}} \middle| {\overset{->}{y_{i}^{\prime}} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ y_{i,1}^{\prime}} = \beta_{i}^{\prime}}} \right\}}{if}\mspace{14mu} i} \in I} ⩓ {\rho(i)}} = {⫬ \left( {t,{\overset{->}{v}}_{i}} \right)}},{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{->}{v}}_{i} \cdot {\overset{->}{x}}_{t}}},\mspace{124mu}{{\overset{->}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},{\overset{->}{y_{i}^{\prime}}\overset{U}{\longleftarrow}\left\{ {\left. \overset{->}{y_{i}^{\prime}} \middle| {\overset{->}{y_{i}^{\prime}} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}^{\prime}} \right\}},} & \; \\ {{{{{{if}\mspace{14mu} i} \notin I} ⩓ {\rho(i)}} = \left( {t,{\overset{->}{v}}_{i}} \right)},{\gamma_{i}:=0},\mspace{14mu}{{\overset{->}{y}}_{i}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ y_{i,1}} = \beta_{i}}} \right\}},\mspace{14mu}{\overset{->}{y_{i}^{\prime}}\overset{U}{\longleftarrow}\left\{ {\left. \overset{->}{y_{i}^{\prime}} \middle| {\overset{->}{y_{i}^{\prime}} \cdot {\overset{->}{v}}_{i}} \right. = {{0 ⩓ y_{i,1}^{\prime}} = \beta_{i}^{\prime}}} \right\}}} & \; \\ {{{{{{if}\mspace{11mu} i} \notin I} ⩓ {\rho(i)}} = {⫬ \left( {t,{\overset{->}{v}}_{i}} \right)}},{\gamma_{i}:=0},\mspace{14mu}{\overset{->}{y_{i}}\overset{U}{\longleftarrow}\left\{ {\left. {\overset{->}{y}}_{i} \middle| {{\overset{->}{y}}_{i} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}} \right\}},{\overset{->}{y_{i}^{\prime}}\overset{U}{\longleftarrow}\left\{ {\left. \overset{->}{y_{i}^{\prime}} \middle| {\overset{->}{y_{i}^{\prime}} \cdot {\overset{->}{v}}_{i}} \right. = \beta_{i}^{\prime}} \right\}},\mspace{79mu}\left( \beta_{i} \right),{\left( \beta_{i}^{\prime} \right)\overset{U}{\longleftarrow}\left\{ {\left. \left( {\beta_{1},\ldots\mspace{14mu},\beta_{L}} \right) \middle| {\sum\limits_{i = 1}^{L}\;{\beta_{i}M_{i}}} \right. = \overset{\rightarrow}{0}} \right\}}} & \; \\ {s_{i}^{*}:={{\gamma_{i} \cdot \left( {{\xi_{1}k_{t,1}^{*}} + {\left( {1 - \xi_{1}} \right)k_{t,2}^{*}}} \right)} + {\sum\limits_{t = 1}^{n_{t}}{y_{i,l}\left( {\pi\; b_{t,l}^{*}} \right)}} + {\sum\limits_{t = 1}^{n_{t}}{y_{i,l}^{\prime}\left( {\pi^{\prime}b_{t,{n_{t} + l}}^{*}} \right)}} + {\xi_{2}\left( {\left( {\mu\; b_{t,{{2n_{t}} + 1}}^{*}} \right) + {m^{\prime}\left( {\mu\; b_{t,{{2n_{t}} + 2}}^{*}} \right)}} \right)} + r_{i}^{*}}} & \left\lbrack {{Formula}\mspace{14mu} 16} \right\rbrack \\ {c_{i}:={\left( {\overset{\overset{n_{t}}{︷}}{{s_{i} + {\theta_{i}v_{i,1}}},{\theta_{i}v_{i,2}},\ldots\mspace{14mu},{\theta_{i}v_{i,n_{t}}}},\overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime} + {\theta_{i}^{\prime}v_{i,1}}},{\theta_{i}^{\prime}v_{i,2}},\ldots\mspace{11mu},{\theta_{i}^{\prime}v_{i,n_{t}}}},{\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}m^{\prime}}},\theta_{i}^{\prime\prime},}\overset{\overset{u_{t}}{︷}}{0^{u_{t}}}},\overset{\overset{w_{t}}{︷}}{0^{w_{t}}},\overset{\overset{z_{t}}{︷}}{\eta_{i,1},\ldots\mspace{14mu},\eta_{i,z_{t}}}} \right)B_{t}}} & \left\lbrack {{Formula}\mspace{14mu} 17} \right\rbrack \\ {c_{i}:={\left( {{\overset{\overset{n_{t}}{︷}}{{s_{i}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},}\overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},}\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}m^{\prime}}},\theta_{i}^{\prime\prime},}\overset{\overset{u_{t}}{︷}}{0^{u_{t}}}},\overset{\overset{w_{t}}{︷}}{0^{w_{t}}},\overset{\overset{z_{t}}{︷}}{\eta_{i,1},\ldots\mspace{14mu},n_{i,z_{t}}}} \right){B_{t}.}}} & \left\lbrack {{Formula}\mspace{14mu} 18} \right\rbrack \end{matrix}$
 6. The signature processing system according to claim 4, wherein, in the signature device, the signature element generation part generates the signature element s*_(i) using a hash value obtained upon input of the message m, the matrix M, and the variable ρ(i) for each integer i=1, L, as the value m′, and wherein, in the verification device, the verification element generation part generates the verification element c_(i) using the hash value as the value m′.
 7. A signature processing method of executing a signature process using a basis B_(t) and a basis B*_(t) for each integer t=0, . . . , d+1 (d is an integer of 1 or more), comprising: a first information input step of, with a key generation device, taking as input an attribute set Γ including identification information t and attribute information x^(→) _(t):=(x_(t,i)) (i=1, . . . , n_(t) where n_(t) is an integer of 1 or more) for at least one integer t=1, . . . , d; a key element 0 generation step of, with the key generation device, generating a key element k*₀ where a predetermined value δ is set as a coefficient for a basis vector b*_(0,1) of a basis B*₀; a key element t generation step of, with the key generation device, generating a key element k*_(t) where δx_(t,i) (i=1, . . . , n_(t)) obtained by multiplying the attribute information x^(→) _(t) by the predetermined value δ is set as a coefficient for a basis vector b*_(t,i) (i=1, . . . , n_(t)) of the basis B*_(t), concerning each identification information t included in the attribute set Γ inputted in the first information input step; a key element d+1 generation step of, with the key generation device, generating a key element k*_(d+1,1) where the predetermined value δ is set as a coefficient for a basis vector b*_(d+1,1) of a basis B*_(d+1), and a key element k*_(d+1,2) where the predetermined value δ is set as a coefficient for a basis vector b*_(d+1,2) of the basis B*_(d+1); a signing key transmission step of, with the key generation device, transmitting, to a signature device, a signing key sk_(Γ) including: the key element k*₀ generated in the key element 0 generation step; the key element k*_(t) generated in the key element t generation step concerning each identification information t included in the attribute set Γ; the key element k*_(d+1,1) and the key element k*_(d+1,2) which are generated in the key element d+1 generation step; and the attribute set Γ; a second information input step of, with the signature device, taking as input a variable ρ(i) for each integer i=1, . . . , L (L is an integer of 1 or more), which variable ρ(i) is either one of a positive tuple (t, v^(→) _(i)) and a negative tuple

(t, v^(→) _(i)) of the identification information t (t is any one integer of t=1, . . . , d) and attribute information v^(→) _(i):=(v_(i,i′))(i′=1, . . . , n_(t)); a predetermined matrix M having L rows and r columns (r is an integer of 1 or more); and a message m; a signing key acquisition step of, with the signature device, acquiring the signing key sk_(Γ) transmitted in the signing key transmission step; a complementary coefficient calculation step of, with the signature device, based on the variable ρ(i) inputted in the second information input step and the attribute set Γ included in the signing key sk_(Γ) acquired in the signing key acquisition step, specifying, among integers i=1, . . . , L, a set I of an integer i for which the variable ρ(i) is a positive tuple (t, v^(→) _(i)) and with which an inner-product of v^(→) _(i) of the positive tuple and x^(→) _(t) included in the attribute set Γ indicated by identification information t of the positive tuple becomes 0, and an integer i for which the variable ρ(i) is a negative tuple

(t, v^(→) _(i)) and with which an inner-product of v^(→) _(i) of the negative tuple and x^(→) _(t) included in the attribute set Γ indicated by identification information t of the negative tuple does not become 0; and calculating, concerning i included in the set I specified, a complementary coefficient α_(i) with which a total of α_(i)M_(i) based on M_(i) which is an element on an i-th row of the matrix M inputted in the second information input step becomes a predetermined vector h^(→); a signature element 0 generation step of, with the signature device, generating a signature element s*₀ including the key element k*₀ included in the signing key sk_(Γ); a signature element i generation step of, with the signature device, generating, for each integer i=1 . . . , L, a signature element s*_(i) including γ_(i)k*_(t) obtained by multiplying the key element k*_(t) included in the signing key sk_(Γ) by a value γ_(i), by setting the value γ_(i) to satisfy γ_(i):=α_(i) when the integer i is included in the set I specified in the complementary coefficient calculation step and the variable ρ(i) is a positive tuple (t, v^(→) _(i)); by setting the value γ_(i) to satisfy γ_(i):=α_(i)/(v^(→) _(i)·x^(→) _(t)) when the integer i is included in the set I and the variable ρ(i) is a negative tuple

(t, v^(→) _(i)); and by setting the value γ_(i) to satisfy γ_(i):=0 when the integer i is not included in the set I; a signature element L+1 generation step of, with the signature device, generating a signature element s*_(L+1) including a sum of the key element k*_(d+1,1) included in the signing key sk_(Γ) and m′·k*_(d+1,2) obtained by multiplying the key element k*_(d+1,2) by a value m′ generated using the message m; a signature data transmission step of, with the signature device, transmitting, to a verification device, signature data σ including: the signature element s*₀ generated in the signature element 0 generation step; the signature element s*_(i) generated for each integer i=1, . . . , L in the signature element i generation step; the signature element s*_(L+1) generated in the signature element L+1 generation step; the message m; the variable ρ(i); and the matrix M; a data acquisition step of, with the verification device, acquiring the signature data σ transmitted in the signature data transmission step; a verification element 0 generation step of, with the verification device, generating a verification element c₀ by setting, as a coefficient for a basis vector b_(0,1) of a basis B₀, −s₀-s_(L+1) calculated from a value s₀:=h^(→)·f^(→) and a predetermined value s_(L+1), the value s₀:=h^(→)·f^(→) being generated using a vector f^(→) having r pieces of elements, and the vector h^(→); a verification element i generation step of, with the verification device, for each integer i=1, . . . , L and using a column vector s^(→T):=(s₁, . . . , s_(L))^(T):=M·f^(→T) generated based on the vector f^(→) and the matrix M which is included in the signature data a acquired in the data acquisition step, and a predetermined number θ_(i) for each integer i=1, . . . , L, generating a verification element c_(i), when the variable ρ(i) is a positive tuple (t, v^(→) _(i)), by setting s_(i)+θ_(i)v_(i,1) as a coefficient for a basis vector b_(t,1) of the basis B_(t) indicated by identification information t of the positive tuple and by setting θ_(i)v_(i,i′) (i′=2, . . . , n_(t)) as a coefficient for a basis vector b_(t,i′) (i′=2, . . . , n_(t)), and generating a verification element c_(i), when the variable ρ(i) is a negative tuple

(t, v^(→) _(i)), by setting s_(i)v_(i,i′) (i′=1, . . . , n_(t)) as a coefficient for the basis vector b_(t,i′) (i′=1, . . . , n_(t)) indicated by identification information t of the negative tuple; a verification element L+1 generation step of, with the verification device, generating a verification element by setting s_(L+1)−θ_(L+1)m′ calculated from the predetermined value s_(L+1), the value m′, and a predetermined value θ_(L+1) as a coefficient for a basis vector b_(d+1,1) of a basis B_(d+1), and by setting the predetermined value θ_(L+1) as a coefficient for a basis vector b_(d+1,2); and a pairing operation step of, with the verification device, verifying an authenticity of the signature data σ by conducting a pairing operation Π_(i=0) ^(L+1)e(c_(i),s*_(i)) for the verification element c₀ generated in the verification element 0 generation step, the verification element c_(i) generated in the verification element i generation step, the verification element c_(L+1) generated in the verification element L+1 generation step, and the signature elements s*₀, s*_(i), and s*_(L+1) included in the signature data σ.
 8. A non-transitory computer readable medium including a signature processing program comprising: a key generation program to run on a key generation device, a signature program to run on a signature device, and a verification program to run on a verification device, and serving to execute a signature process using a basis B_(t) and a basis B*_(t) for each integer t=0, . . . , d+1 (d is an integer of 1 or more), wherein the key generation program causes a computer to execute a first information input process of taking as input an attribute set Γ including identification information t and attribute information x^(→) _(t):=(x_(t,i)) (i=1, . . . , n_(t) where n_(t) is an integer of 1 or more) for at least one integer t=1, . . . , d, a key element 0 generation process of generating a key element k*₀ where a predetermined value δ is set as a coefficient for a basis vector b*_(0,1) of a basis B*₀, a key element t generation process of generating a key element k*_(t) where δx_(t,i) (i=1, . . . , n_(t)) obtained by multiplying the attribute information x^(→) _(t) by the predetermined value δ is set as a coefficient for a basis vector b*_(t,i) (i=1, . . . , n_(t)) of the basis B*_(t), concerning each identification information t included in the attribute set Γ inputted in the first information input process, a key element d+1 generation process of generating a key element k*_(d+1,1) where the predetermined value δ is set as a coefficient for a basis vector b*_(d+1,1) of a basis B*_(d+1), and a key element k*_(d+1,2) where the predetermined value δ is set as a coefficient for a basis vector b*_(d+1,2) of the basis B*_(d+1), and a signing key transmission process of transmitting, to a signature device, a signing key sk_(Γ) including: the key element k*₀ generated in the key element 0 generation process; the key element k*_(t) generated in the key element t generation process concerning each identification information t included in the attribute set Γ; the key element k*_(d+1,1) and the key element k*_(d+1,2) which are generated in the key element d+1 generation process; and the attribute set Γ, wherein the signature program causes the computer to execute a second information input process of taking as input a variable ρ(i) for each integer i=1, L (L is an integer of 1 or more), which variable ρ(i) is either one of a positive tuple (t, v^(→) _(i)) and a negative tuple

(t, v^(→) _(i)) of the identification information t (t is any one integer of t=1, . . . , d) and attribute information v^(→) _(i):=(v_(i,i′))(i′=1, . . . , n_(t)); a predetermined matrix M having L rows and r columns (r is an integer of 1 or more); and a message m, a signing key acquisition process of acquiring the signing key sk_(Γ) transmitted in the signing key transmission process, a complementary coefficient calculation process of, based on the variable ρ(i) inputted in the second information input process and the attribute set Γ included in the signing key sk_(Γ) acquired in the signing key acquisition process, specifying, among integers i=1, . . . , L, a set I of an integer i for which the variable ρ(i) is a positive tuple (t, v^(→) _(i)) and with which an inner-product of v^(→) _(i) of the positive tuple and x^(→) _(t) included in the attribute set Γ indicated by identification information t of the positive tuple becomes 0, and an integer i for which the variable ρ(i) is a negative tuple

(t, v^(→) _(i)) and with which an inner-product of v^(→) _(i) of the negative tuple and x^(→) _(t) included in the attribute set Γ indicated by identification information t of the negative tuple does not become 0; and calculating, concerning i included in the set I specified, a complementary coefficient α_(i) with which a total of α_(i)M_(i) based on M_(i) which is an element on an i-th row of the matrix M inputted in the second information input process becomes a predetermined vector h^(→), a signature element 0 generation process of generating a signature element s*₀ including the key element k*₀ included in the signing key sk_(Γ), a signature element i generation process of generating, for each integer i=1 . . . , L, a signature element s*_(i) including γ_(i)k*_(t) obtained by multiplying the key element k*_(t) included in the signing key sk_(Γ) by a value γ_(i), by setting the value γ_(i) to satisfy γ_(i):=α_(i) when the integer i is included in the set I specified in the complementary coefficient calculation process and the variable ρ(i) is a positive tuple (t, v^(→) _(i)); by setting the value γ_(i) to satisfy γ_(i):=α_(i)/(v^(→) _(i)·x^(→) _(t)) when the integer i is included in the set I and the variable ρ(i) is a negative tuple

(t, v^(→) _(i)); and by setting the value γ_(i) to satisfy γ_(i):=0 when the integer i is not included in the set I, a signature element L+1 generation process of generating a signature element s*_(L+1) including a sum of the key element k*_(d+1,1) included in the signing key sk_(Γ) and m′·k*_(d+1,2) obtained by multiplying the key element k*_(d+1,2) by a value m′ generated using the message m, and a signature data transmission process of transmitting, to a verification device, signature data σ including: the signature element s*₀ generated in the signature element 0 generation process; the signature element s*_(i) generated for each integer i=1, . . . , L in the signature element i generation process; the signature element s*_(L+1) generated in the signature element L+1 generation process; the message m; the variable ρ(i); and the matrix M, and wherein the verification program causes the computer to execute a data acquisition process of acquiring the signature data σ transmitted in the signature data transmission process, a verification element 0 generation process of generating a verification element c₀ by setting, as a coefficient for a basis vector b_(0,1) of a basis B₀, −s₀-s_(L+1) calculated from a value s₀:=h^(→)·f^(→) and a predetermined value s_(L+1), the value s₀:=h→·f^(→) being generated using a vector f^(→) having r pieces of elements, and the vector h^(→), a verification element i generation process of, for each integer i=1, . . . , L and using a column vector s^(→T):=(s₁, . . . , s_(L))^(T):=M·f^(T) generated based on the vector f^(→) and the matrix M which is included in the signature data σ acquired in the data acquisition process, and a predetermined number θ_(i) for each integer i=1, . . . L, generating a verification element c_(i), when the variable ρ(i) is a positive tuple (t, v^(→) _(i)), by setting s_(i)+θ_(i)v_(i,1) as a coefficient for a basis vector b_(t,1) of the basis B_(t) indicated by identification information t of the positive tuple and by setting θ_(i)v_(i,i′) (i′=2, . . . , n_(t)) as a coefficient for a basis vector b_(t,i′) (i′=2, . . . , n_(t)), and generating a verification element c_(i), when the variable ρ(i) is a negative tuple

(t, v^(→) _(i)), by setting (i′=1, . . . , n_(t)) as a coefficient for the basis vector b_(t,i′) (i′=1, . . . , n_(t)) indicated by identification information t of the negative tuple, a verification element L+1 generation process of generating a verification element c_(L+1) by setting s_(L+1)+θ_(L+1)m′ calculated from the predetermined value s_(L+1), the value m′, and a predetermined value θ_(L+1) as a coefficient for a basis vector b_(d+1,1) of a basis B_(d+1,2), and by setting the predetermined value θ_(L+1), as a coefficient for a basis vector b_(d+1,2), and a pairing operation process of verifying an authenticity of the signature data σ by conducting a pairing operation Π₀ ^(L+1)e(c_(i),s*_(i)) for the verification element c₀ generated in the verification element 0 generation process, the verification element c_(i) generated in the verification element i generation process, the verification element c_(L+1) generated in the verification element L+1 generation process, and the signature elements s*₀, s*_(i), and s*_(L+1) included in the signature data σ.
 9. A signature processing method of executing a signature process using a basis B_(t) and a basis B*_(t) for at least one integer t=0, . . . , d (d is an integer of 1 or more), the signature processing method including: a first information input step of, with at least one key generation device among d units of key generation devices, taking as input attribute information x^(→) _(t):=(x_(t,i)) (i=1, . . . , n_(t)) for an integer t among t=1, . . . , d which is predetermined for each of the key generation devices; a key element generation step of, with the at least one key generation device, for the integer t and each integer j=1, 2, generating a key element k*_(t,j) including a vector indicated in Formula 24 based on the attribute information x^(→) _(t) inputted in the first information input step, a predetermined value δ_(j), and a basis vector b*_(t,i) (i=1, . . . , 2n_(t)) of the basis B*_(t); a signing key transmission step of, with the at least one key generation device, transmitting, to a signature device, a signing key usk including: the key element k*_(t,j) generated in the key element generation step; and the attribute information x^(→) _(t); a second information input step of, with the signature device, taking as input a variable ρ(i) for each integer i=1, . . . , L (L is an integer of 1 or more), which variable ρ(i) is either one of a positive tuple (t, v^(→) _(i)) and a negative tuple

(t, v^(→) _(i)) of the identification information t (t is any one integer of t=1, . . . , d) and attribute information v^(→) _(i):=(v_(i,i′))(i′=1, . . . , n_(t)); a predetermined matrix M having L rows and r columns (r is an integer of 1 or more); and a message m; a signing key acquisition step of, with the signature device, acquiring the signing key usk transmitted in the signing key transmission step of at least one key generation device among the d units of key generation devices; a complementary coefficient calculation step of, with the signature device and based on the variable ρ(i) inputted in the second information input step and the attribute information x^(→) _(t) included in the signing key usk acquired in the signing key acquisition step, specifying, among integers i=1, . . . , L, a set I of an integer i for which the variable ρ(i) is a positive tuple (t, v^(→) _(i)), the signing key usk including x^(→) _(t) indicated by identification information t of the positive tuple being acquired in the signing key acquisition step, and with which an inner-product of v^(→) _(i) of the positive tuple and the attribute information x^(→) _(t) indicated by the identification information t of the positive tuple becomes 0, and an integer i for which the variable ρ(i) is a negative tuple

(t, v^(→) _(i)), the signing key usk including x^(→) _(t) indicated by the identification information t of the negative tuple being acquired in the signing key acquisition step, and with which an inner-product of v^(→) _(i) of the negative tuple and the attribute information x^(→) _(t) indicated by the identification information t of the negative tuple does not become 0; and calculating, concerning i included in the set I specified, a complementary coefficient α_(i) with which a total of α_(i)M_(i) based on M_(i) which is an element on an i-th row of the matrix M inputted in the second information input step becomes a predetermined vector h^(→); a signature element generation step of, with the signature device, generating, for each integer i=1 . . . , L, a signature element s*_(i) including a vector indicated in Formula 25 using the basis vector b*_(t,i) (i=2n_(t)+1, 2n_(t)+2) of the basis B*_(t), based on a key element k*_(t,1) and a key element k*_(t,2) included in the signing key usk, predetermined values ξ₁, E, and μ, and a value m′ calculated from the message m, by setting a value γ_(i) to satisfy γ_(i):=α_(i) when the integer i is included in the set I specified in the complementary coefficient calculation step and the variable ρ(i) is a positive tuple (t, v^(→) _(i)); by setting the value γ_(i) to satisfy γ_(i):=α_(i)/(v_(i)·x_(t)) when the integer i is included in the set I and the variable ρ(i) is a negative tuple

(t, v^(→) _(i)); and by setting the value γ_(i) to satisfy γ_(i):=0 when the integer i is not included in the set I; a signature data transmission step of, with the signature device, transmitting, to a verification device, signature data σ including: the signature element s*_(i) generated for each integer i=1, . . . , L in the signature element generation step; the message m; the variable ρ(i); and the matrix M; a data acquisition step of, with the verification device, acquiring the signature data a transmitted in the signature data transmission step; a vector generation step of, with the verification device, generating a column vector s^(→T):=(s₁, . . . , s_(L))^(T):=M·f^(→T) based on a vector f^(→) having r pieces of elements and the matrix M included in the signature data σ acquired in the data acquisition step, and generating a column vector (s^(→)′)^(T):=(s₁′, . . . , s_(L))^(T):=M·(f^(→)′)^(T) based on the matrix M and a vector f^(→)′ having r pieces of elements and satisfying s₀=h^(→)·(f^(→)′)^(T) where s₀=h^(→)·f^(→T); a verification element generation step of, with the verification device, for each integer i=1, . . . , L and based on the column vector s^(→T) and the column vector (s^(→)′)^(T) which are generated in the vector generation step, and predetermined values θ_(i), θ_(i)′, θ_(i)″, and σ_(i) for each integer i=1, . . . , L, generating a verification element c_(i) including a vector indicated in Formula 26, when the variable ρ(i) is a positive tuple (t, v^(→) _(i)), using a basis vector b_(t,i′) (i′=1, . . . , 2n_(t)+2) of the basis B_(t) indicated by identification information t of the positive tuple, and generating a verification element c_(i) including a vector indicated in Formula 27, when the variable ρ(i) is a negative tuple

(t, v^(→) _(i)), using a basis vector b_(t,i) (i′=1, . . . , 2n_(t)+2) indicated by identification information t of the negative tuple; and a pairing operation step of, with the verification device, verifying an authenticity of the signature data σ by conducting a pairing operation Π_(i=1) ^(L)e(c_(i),s*_(i)) for the verification element c_(i) generated in the verification element generation step and the signature element s*_(i) included in the signature data σ, $\begin{matrix} {\left( {\overset{\overset{n_{t}}{︷}}{\left( {\delta_{j} + 1} \right)\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)},\overset{\overset{n_{t}}{︷}}{- {\delta_{j}\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)}},0,\ldots\mspace{14mu},0} \right)B_{t}^{*}} & \left\lbrack {{Formula}\mspace{14mu} 24} \right\rbrack \\ {\mspace{76mu}{{\gamma_{i} \cdot \left( {{\xi_{1}k_{t,1}^{*}} + {\left( {E - \xi_{1}} \right)k_{t,2}^{*}}} \right)} + \left( {\mu\; b_{t,{{2n_{t}} + 1}}^{*}} \right) + {m^{\prime}\left( {\mu\; b_{t,{{2n_{t}} + 2}}^{*}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 25} \right\rbrack \\ {\left( {\overset{\overset{n_{t}}{︷}}{{s_{i} + {\theta_{i}v_{i,1}}},{\theta_{i}v_{i,2}},\ldots\mspace{14mu},{\theta_{i}v_{i,n_{t}}}},\overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime} + {\theta_{i}^{\prime}v_{i,1}}},{\theta_{i}^{\prime}v_{i,2}},\ldots\mspace{11mu},{\theta_{i}^{\prime}v_{i,n_{t}}}},\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}m^{\prime}}},\theta_{i}^{\prime\prime}},0,\ldots\mspace{14mu},0} \right)B_{t}} & \left\lbrack {{Formula}\mspace{14mu} 26} \right\rbrack \\ {\left( {\overset{\overset{n_{t}}{︷}}{s_{i}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},\overset{\overset{n_{t}}{︷}}{s_{i}^{\prime}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}m^{\prime}}},\theta_{i}^{\prime\prime}},0,\ldots\mspace{14mu},0} \right){B_{t}.}} & \left\lbrack {{Formula}\mspace{14mu} 27} \right\rbrack \end{matrix}$
 10. A non-transitory computer readable medium including a signature processing program comprising: a key generation program to run on d (d is an integer of 1 or more) units of key generation devices, a signature program to run on a signature device, and a verification program to run on a verification device, and serving to execute a signature process using a basis B_(t) and a basis B*_(t) for at least one integer t=0, . . . , d, wherein the key generation program causes a computer to execute a first information input process of taking as input attribute information x^(→) _(t):=(x_(t,i)) (i=1, . . . , n_(t)) for an integer t among integers t=1, . . . , d which is predetermined for each of the key generation devices, a key element generation process of, for the integer t and each integer j=1, 2, generating a key element k*_(t,j) including a vector indicated in Formula 28 based on the attribute information x^(→) _(t) inputted in the first information input process, a predetermined value δ_(j), and a basis vector b*_(t,i) (i=1, . . . , 2n_(t)) of the basis B*_(t), and a signing key transmission process of transmitting, to the signature device, a signing key usk including: the key element k*_(t,j) generated in the key element generation process; and the attribute information x^(→) _(t), wherein the signature program causes the computer to execute a second information input process of taking as input a variable ρ(i) for each integer i=1, . . . , L (L is an integer of 1 or more), which variable ρ(i) is either one of a positive tuple (t, v^(→) _(i)) and a negative tuple

(t, v^(→) _(i)) of the identification information t (t is any one integer of t=1, . . . , d) and attribute information v^(→) _(i):=(v_(i,i′)) (i′=1, . . . , n_(t)); a predetermined matrix M having L rows and r columns (r is an integer of 1 or more); and a message m, a signing key acquisition process of acquiring the signing key usk transmitted in the signing key transmission process of at least one key generation device among the d units of key generation devices, a complementary coefficient calculation process of, based on the variable ρ(i) inputted in the second information input process and the attribute information x_(t) included in the signing key usk acquired in the signing key acquisition process, specifying, among integers i=1, . . . , L, a set I of an integer i for which the variable ρ(i) is a positive tuple (t, v^(→) _(i)), the signing key usk including x^(→) _(t) indicated by identification information t of the positive tuple being acquired in the signing key acquisition process, and with which an inner-product of v^(→) _(i) of the positive tuple and the attribute information x^(→) _(t) indicated by the identification information t of the positive tuple becomes 0, and an integer i for which the variable ρ(i) is a negative tuple

(t, v^(→) _(i)), the signing key usk including x^(→) _(t) indicated by identification information t of the negative tuple being acquired in the signing key acquisition process, and with which an inner-product of v^(→) _(i) of the negative tuple and the attribute information x^(→) _(t) indicated by the identification information t of the negative tuple does not become 0; and calculating, concerning i included in the set I specified, a complementary coefficient α_(i) with which a total of α_(i)M_(i) based on M_(i) which is an element on an i-th row of the matrix M inputted in the second information input process becomes a predetermined vector h^(→), a signature element generation process of generating, for each integer i=1 . . . , L, a signature element s*_(i) including a vector indicated in Formula 29 using the basis vector b*_(t,i) (i=2n_(t)+1, 2n_(t)+2) of the basis B*_(t), based on a key element k_(t,1) and a key element k*_(t,2) included in the signing key usk, predetermined values ξ₁, E, and μ, and a value m′ calculated from the message m, by setting a value γ_(i) to satisfy γ_(i):=α_(i) when the integer i is included in the set I specified in the complementary coefficient calculation process and the variable ρ(i) is a positive tuple (t, v^(→) _(i)); by setting the value γ_(i) to satisfy γ_(i):=α_(i)/(v^(→) _(i)·x^(→) _(t)) when the integer i is included in the set I and the variable ρ(i) is a negative tuple

(t, v^(→) _(i)); and by setting the value γ_(i) to satisfy γ_(i):=0 when the integer i is not included in the set I, and a signature data transmission process of transmitting, to the verification device, signature data σ including: the signature element s*_(i) generated for each integer i=1, . . . , L in the signature element generation process; the message m; the variable ρ(i); and the matrix M, and wherein the verification program causes the computer to execute a data acquisition process of acquiring the signature data σ transmitted in the signature data transmission process, a vector generation process of generating a column vector s^(→T):=(s₁, . . . , s_(L))^(T):=M·f^(→T) based on a vector f^(→) having r pieces of elements and the matrix M included in the signature data σ acquired in the data acquisition process, and generating a column vector (s^(→′))^(T):=(s₁′, . . . , s_(L)′)^(T):=M·(f^(→)′)^(T) based on the matrix M and a vector f^(→)′ having r pieces of elements and satisfying s₀=h^(→)·(f^(→)′)^(T) where s₀=h^(→)·f^(→T), a verification element generation process of, for each integer i=1, . . . , L and based on the column vector s^(→T) and the column vector (s^(→)′)^(T) which are generated in the vector generation process, and predetermined values θ_(i), θ_(i)′, θ_(i)″, and σ_(i) for each integer i=1, . . . , L, generating a verification element c_(i) including a vector indicated in Formula 30, when the variable ρ(i) is a positive tuple (t, v^(→) _(i)), using a basis vector b_(t,i′) (i′=1, . . . , 2n_(t)+2) of the basis B_(t) indicated by identification information t of the positive tuple, and generating a verification element c_(i) including a vector indicated in Formula 31, when the variable ρ(i) is a negative tuple

(t, v^(→) _(i)), using a basis vector b_(t,i) (i=1, . . . , 2n_(t)+2) indicated by identification information t of the negative tuple, and a pairing operation process of verifying an authenticity of the signature data σ by conducting a pairing operation Π_(i=1) ^(L)e(c_(i),s*_(i)) for the verification element c_(i) generated in the verification element generation process, and the signature element s*_(i) included in the signature data σ, $\begin{matrix} {\left( {\overset{\overset{n_{t}}{︷}}{\left( {\delta_{j} + 1} \right)\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)},\overset{\overset{n_{t}}{︷}}{- {\delta_{j}\left( {x_{t,1},\ldots\mspace{14mu},x_{t,n_{t}}} \right)}},0,\ldots\mspace{14mu},0} \right)B_{t}^{*}} & \left\lbrack {{Formula}\mspace{14mu} 28} \right\rbrack \\ {\mspace{76mu}{{\gamma_{i} \cdot \left( {{\xi_{1}k_{t,1}^{*}} + {\left( {E - \xi_{1}} \right)k_{t,2}^{*}}} \right)} + \left( {\mu\; b_{t,{{2n_{t}} + 1}}^{*}} \right) + {m^{\prime}\left( {\mu\; b_{t,{{2n_{t}} + 2}}^{*}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 29} \right\rbrack \\ {\left( {\overset{\overset{n_{t}}{︷}}{{s_{i} + {\theta_{i}v_{i,1}}},{\theta_{i}v_{i,2}},\ldots\mspace{14mu},{\theta_{i}v_{i,n_{t}}}},\overset{\overset{n_{t}}{︷}}{{s_{i}^{\prime} + {\theta_{i}^{\prime}v_{i,1}}},{\theta_{i}^{\prime}v_{i,2}},\ldots\mspace{11mu},{\theta_{i}^{\prime}v_{i,n_{t}}}},\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}m^{\prime}}},\theta_{i}^{\prime\prime}},0,\ldots\mspace{14mu},0} \right)B_{t}} & \left\lbrack {{Formula}\mspace{14mu} 30} \right\rbrack \\ {\left( {\overset{\overset{n_{t}}{︷}}{s_{i}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},\overset{\overset{n_{t}}{︷}}{s_{i}^{\prime}\left( {v_{i,1},\ldots\mspace{14mu},v_{i,n_{t}}} \right)},\overset{\overset{2}{︷}}{{\sigma_{i} - {\theta_{i}^{\prime\prime}m^{\prime}}},\theta_{i}^{\prime\prime}},0,\ldots\mspace{14mu},0} \right){B_{t}.}} & \left\lbrack {{Formula}\mspace{14mu} 31} \right\rbrack \end{matrix}$ 